CVE-2026-29606 Overview
OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass vulnerability in the voice-call extension. This authentication bypass allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled. An external attacker can send forged requests to the publicly reachable webhook endpoint without a valid X-Twilio-Signature header, resulting in unauthorized webhook event handling and potential request flooding attacks.
Critical Impact
This vulnerability enables attackers to bypass Twilio webhook signature verification, allowing unauthorized access to voice-call functionality and potential request flooding attacks against affected OpenClaw deployments.
Affected Products
- OpenClaw versions prior to 2026.2.14
- OpenClaw voice-call extension with tunnel.allowNgrokFreeTierLoopbackBypass enabled
- Deployments using ngrok free tier tunneling
Discovery Timeline
- 2026-03-05 - CVE CVE-2026-29606 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-29606
Vulnerability Analysis
This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function). The flaw exists in the voice-call extension's webhook security implementation when ngrok free tier compatibility mode is enabled.
The core issue lies in how the allowNgrokFreeTierLoopbackBypass configuration option was implemented. Originally, this option was intended to provide compatibility with ngrok's free tier by allowing signature verification failures on ngrok-free.app URLs for loopback requests from the ngrok local agent. However, the implementation incorrectly bypassed signature verification entirely for these requests, rather than using an alternative verification method.
When an attacker identifies a publicly accessible webhook endpoint on an affected OpenClaw installation with this option enabled, they can send arbitrary requests without the required X-Twilio-Signature header. This allows forged webhook events to be processed as legitimate Twilio communications.
Root Cause
The root cause is an improper implementation of the ngrok free tier compatibility feature. The allowNgrokFreeTierLoopbackBypass option was designed to handle cases where ngrok's free tier URL structure made standard signature verification challenging. However, instead of implementing proper URL reconstruction for signature verification, the code completely skipped signature validation when this option was enabled for loopback requests.
The vulnerability stems from a misunderstanding of the security requirements—the option should only trust forwarded headers to reconstruct the public ngrok URL for proper signature verification, not bypass the verification process altogether.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker must identify an OpenClaw instance with the voice-call extension deployed and the tunnel.allowNgrokFreeTierLoopbackBypass configuration option enabled.
The attack sequence involves:
- Discovering a publicly accessible OpenClaw webhook endpoint
- Crafting forged webhook requests mimicking legitimate Twilio events
- Sending requests without valid X-Twilio-Signature headers
- Achieving unauthorized webhook event handling or request flooding
// Security patch in extensions/voice-call/src/config.ts
// Source: https://github.com/openclaw/openclaw/commit/ff11d8793b90c52f8d84dae3fbb99307da51b5c9
ngrokDomain: z.string().min(1).optional(),
/**
* Allow ngrok free tier compatibility mode.
- * When true, signature verification failures on ngrok-free.app URLs
- * will be allowed only for loopback requests (ngrok local agent).
+ * When true, forwarded headers may be trusted for loopback requests
+ * to reconstruct the public ngrok URL used for signing.
+ *
+ * IMPORTANT: This does NOT bypass signature verification.
*/
allowNgrokFreeTierLoopbackBypass: z.boolean().default(false),
})
// Security patch in extensions/voice-call/src/webhook-security.ts
// Source: https://github.com/openclaw/openclaw/commit/ff11d8793b90c52f8d84dae3fbb99307da51b5c9
options?: {
/** Override the public URL (e.g., from config) */
publicUrl?: string;
- /** Allow ngrok free tier compatibility mode (loopback only, less secure) */
+ /**
+ * Allow ngrok free tier compatibility mode (loopback only).
+ *
+ * IMPORTANT: This does NOT bypass signature verification.
+ * It only enables trusting forwarded headers on loopback so we can
+ * reconstruct the public ngrok URL that Twilio used for signing.
+ */
allowNgrokFreeTierLoopbackBypass?: boolean;
/** Skip verification entirely (only for development) */
skipVerification?: boolean;
Detection Methods for CVE-2026-29606
Indicators of Compromise
- Webhook requests arriving without valid X-Twilio-Signature headers being successfully processed
- Unusual volume of voice-call webhook events from non-Twilio IP addresses
- Log entries showing webhook events processed without signature validation
- Anomalous patterns in voice-call extension activity logs
Detection Strategies
- Monitor webhook endpoint logs for requests missing the X-Twilio-Signature header that are processed successfully
- Implement network-level monitoring to detect requests to voice-call webhook endpoints from sources outside Twilio's IP ranges
- Review application logs for signature verification bypass indicators in the voice-call extension
- Set up alerting for unusual request volumes to webhook endpoints
Monitoring Recommendations
- Enable verbose logging on the voice-call extension webhook handlers
- Configure rate limiting alerts on webhook endpoints to detect flooding attempts
- Implement IP allowlisting for Twilio's published IP ranges where possible
- Monitor for configuration changes to the allowNgrokFreeTierLoopbackBypass setting
How to Mitigate CVE-2026-29606
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.14 or later immediately
- Review configurations for the tunnel.allowNgrokFreeTierLoopbackBypass option and disable if not required
- Audit logs for any suspicious webhook activity that may indicate prior exploitation
- Implement IP allowlisting for Twilio webhook sources as an additional defense layer
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.2.14. The fix ensures that the allowNgrokFreeTierLoopbackBypass option only enables trusting forwarded headers to reconstruct the public ngrok URL for proper signature verification, rather than bypassing signature verification entirely.
For detailed patch information, see the GitHub Commit and GitHub Security Advisory.
Workarounds
- Disable the tunnel.allowNgrokFreeTierLoopbackBypass configuration option if not strictly required for ngrok free tier usage
- Implement network-level access controls to restrict webhook endpoint access to Twilio's IP ranges
- Use a paid ngrok tier that doesn't require this compatibility option
- Deploy a reverse proxy with signature validation as an additional security layer
# Configuration example - Disable the vulnerable option
# In your OpenClaw configuration file, ensure this setting is false:
# tunnel:
# allowNgrokFreeTierLoopbackBypass: false
# Alternatively, upgrade to the patched version:
npm update openclaw@2026.2.14
# or
yarn upgrade openclaw@2026.2.14
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
