OpenClaw Webhook Signature Verification Bypass Vulnerability in Voice Call Extension

A webhook signature verification bypass vulnerability has been identified in the OpenClaw voice-call extension, affecting versions prior to 2026.2.14. When the 'tunnel.allowNgrokFreeTierLoopbackBypass' option is enabled, this vulnerability allows unauthenticated requests to bypass signature verification on the webhook endpoint. An external attacker can exploit this by sending forged requests without a valid 'X-Twilio-Signature' header, leading to unauthorized handling of webhook events and potential flooding of requests.

Impact

Exploitation of this vulnerability could result in unauthorized processing of webhook events, bypassing integrity checks, and allowing for request flooding, which could disrupt service availability.

Reproduction

To reproduce this vulnerability, enable the 'tunnel.allowNgrokFreeTierLoopbackBypass' option in the OpenClaw voice-call extension. Once this option is active, the webhook endpoint will accept requests without requiring a valid 'X-Twilio-Signature' header. This can be done by sending forged requests to the webhook URL, which is typically a public ngrok link used during development.

Remediation

Users can update to OpenClaw version 2026.2.14 or later, where this vulnerability has been patched. In the patched version, the 'allowNgrokFreeTierLoopbackBypass' option no longer bypasses signature verification and only allows trusting forwarded headers on loopback to reconstruct the public ngrok URL for proper signature validation.