OpenClaw Callback Origin Mutation Vulnerability in Plivo Voice-Call Replay
Vulnerability
A callback origin mutation vulnerability has been identified in OpenClaw versions prior to 2026.3.31, specifically within the Plivo voice-call replay feature. This vulnerability allows attackers to alter the in-process callback origin before the replay rejection occurs. Exploitation requires capturing valid callbacks from live calls, which can then be used to manipulate callback origins during the replay process.
Impact
Exploitation of this vulnerability could lead to unauthorized manipulation of callback origins in the Plivo voice-call replay process, potentially allowing for improper handling or routing of voice call events.
Reproduction
To reproduce this vulnerability, first capture a valid callback from a live Plivo voice call. Then, initiate a replay of the call while intercepting the callback origin. The vulnerability can be observed by noting how the callback origin is altered in-process before the replay rejection is applied.
Remediation
Users can update to OpenClaw version 2026.3.31 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.