Platform
nodejs
Component
openclaw
Fixed in
2026.2.14
CVE-2026-29606 is a security vulnerability affecting OpenClaw versions prior to 2026.2.14. This flaw involves a webhook signature-verification bypass within the voice-call extension, enabling unauthorized requests. Exploitation can lead to request flooding and unauthorized webhook event handling, potentially impacting system stability and data integrity. The vulnerability is fixed in version 2026.2.14.
The core of this vulnerability lies in the flawed signature verification process for webhooks in OpenClaw's voice-call extension. When the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled, an attacker can craft and send malicious requests to the publicly accessible webhook endpoint without providing a valid X-Twilio-Signature header. This bypass effectively allows the attacker to impersonate legitimate webhook requests, potentially triggering unintended actions within the OpenClaw system. The potential impact ranges from simple denial-of-service through request flooding to more severe consequences depending on the actions triggered by the forged webhook events, such as unauthorized data modification or system control.
CVE-2026-29606 was publicly disclosed on March 5, 2026. There is currently no indication of active exploitation in the wild. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is released.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-29606 is to upgrade OpenClaw to version 2026.2.14 or later, which contains the fix for the signature verification bypass. If an immediate upgrade is not feasible, disabling the tunnel.allowNgrokFreeTierLoopbackBypass option can significantly reduce the attack surface, although it may impact legitimate Ngrok functionality. Consider implementing a Web Application Firewall (WAF) with rules to validate the X-Twilio-Signature header and block requests lacking a valid signature. Monitor webhook logs for suspicious activity, such as unexpected event types or high request rates from unknown sources.
Update OpenClaw to version 2026.2.14 or higher. This fixes the webhook signature verification bypass vulnerability. If you cannot update immediately, ensure you disable the `tunnel.allowNgrokFreeTierLoopbackBypass` option.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-29606 is a medium-severity vulnerability in OpenClaw versions 0–2026.2.14 that allows unauthenticated attackers to bypass webhook signature verification, potentially leading to unauthorized event handling.
You are affected if you are using OpenClaw versions 0–2026.2.14 and have the tunnel.allowNgrokFreeTierLoopbackBypass option enabled.
Upgrade OpenClaw to version 2026.2.14 or later. Alternatively, disable the tunnel.allowNgrokFreeTierLoopbackBypass option.
There is currently no evidence of active exploitation in the wild, but the vulnerability is considered exploitable.
Refer to the official OpenClaw security advisory for detailed information and updates: [https://openclaw.example/security/advisories/CVE-2026-29606](https://openclaw.example/security/advisories/CVE-2026-29606)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.