OpenClaw Voice-Call Extension Authentication Bypass Vulnerability
Vulnerability
An authentication bypass vulnerability has been identified in the OpenClaw voice-call extension, affecting versions prior to 2026.2.1. The vulnerability arises from the inbound allowlist policy validation, which improperly accepts empty caller IDs and employs suffix-based matching instead of strict equality. This flaw allows remote attackers to bypass access controls by making calls with missing caller IDs or numbers that end with allowlisted digits, thereby reaching the voice-call agent and executing tools.
Impact
Exploitation of this vulnerability allows unauthorized callers to bypass inbound access controls and interact with the voice-call agent, potentially leading to unauthorized tool execution.
Reproduction
To reproduce this vulnerability, first configure the OpenClaw voice-call extension with the inbound policy set to 'allowlist' and specify allowlisted numbers. Then, place an inbound call with a missing or empty caller ID, or from a number whose digits end with the allowlisted number. The call will be accepted, bypassing the allowlist validation.
Remediation
Users can update to OpenClaw version 2026.2.2 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.