CVE-2026-28446
OpenClaw · Voice-call extension
An authentication bypass in OpenClaw's voice-call extension allows unauthenticated remote attackers to execute tools by manipulating caller ID validation logic.
Executive summary
A critical authentication bypass vulnerability in the OpenClaw voice-call extension allows unauthenticated remote attackers to execute unauthorized commands via manipulated caller ID inputs.
Vulnerability
This vulnerability involves improper validation of inbound allowlist policies, where the system accepts empty caller IDs and utilizes insecure suffix-based matching. Unauthenticated remote attackers can exploit this flaw to bypass access controls and interact with the voice-call agent.
Business impact
Successful exploitation allows unauthorized third parties to interact with internal voice-call agents, potentially leading to unauthorized tool execution and system compromise. Given the CVSS score of 9.8, this vulnerability poses a severe risk of data exfiltration or service disruption, necessitating immediate attention.
Remediation
Immediate Action: Upgrade the OpenClaw voice-call extension to version 2026.2.1 or later to resolve the flawed caller ID validation logic.
Proactive Monitoring: Review voice-call logs for anomalous inbound call patterns, specifically those involving empty caller IDs or unexpected suffix matches.
Compensating Controls: Implement strict network-level ingress filtering to restrict access to the voice-call service to known, trusted IP ranges.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
The severity of this flaw, combined with the ease of exploitation via simple input manipulation, makes this a high-priority remediation task. Administrators should prioritize upgrading to the patched version immediately to prevent unauthorized access to voice-call agent tools.