प्लेटफ़ॉर्म
nodejs
घटक
openclaw
में ठीक किया गया
2026.2.14
CVE-2026-29606 is a security vulnerability affecting OpenClaw versions prior to 2026.2.14. This flaw involves a webhook signature-verification bypass within the voice-call extension, enabling unauthorized requests. Exploitation can lead to request flooding and unauthorized webhook event handling, potentially impacting system stability and data integrity. The vulnerability is fixed in version 2026.2.14.
The core of this vulnerability lies in the flawed signature verification process for webhooks in OpenClaw's voice-call extension. When the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled, an attacker can craft and send malicious requests to the publicly accessible webhook endpoint without providing a valid X-Twilio-Signature header. This bypass effectively allows the attacker to impersonate legitimate webhook requests, potentially triggering unintended actions within the OpenClaw system. The potential impact ranges from simple denial-of-service through request flooding to more severe consequences depending on the actions triggered by the forged webhook events, such as unauthorized data modification or system control.
CVE-2026-29606 was publicly disclosed on March 5, 2026. There is currently no indication of active exploitation in the wild. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is released.
OpenClaw deployments utilizing the voice-call extension and with the tunnel.allowNgrokFreeTierLoopbackBypass option enabled are at immediate risk. Organizations relying on OpenClaw for critical communication workflows, particularly those with publicly exposed webhook endpoints, should prioritize patching.
• nodejs: Monitor OpenClaw logs for requests lacking a valid X-Twilio-Signature header. Use grep to search for patterns like Signature verification failed or Invalid webhook request.
grep -i 'signature verification failed' /path/to/openclaw/logs/webhook.log• generic web: Examine access logs for unusual webhook request patterns, such as a high volume of requests from a single IP address or requests with unexpected parameters. Use curl to test webhook endpoint security.
curl -H 'X-Twilio-Signature: invalid_signature' https://your-openclaw-instance/webhookdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.05% (15% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-29606 is to upgrade OpenClaw to version 2026.2.14 or later, which contains the fix for the signature verification bypass. If an immediate upgrade is not feasible, disabling the tunnel.allowNgrokFreeTierLoopbackBypass option can significantly reduce the attack surface, although it may impact legitimate Ngrok functionality. Consider implementing a Web Application Firewall (WAF) with rules to validate the X-Twilio-Signature header and block requests lacking a valid signature. Monitor webhook logs for suspicious activity, such as unexpected event types or high request rates from unknown sources.
OpenClaw को संस्करण 2026.2.14 या उच्चतर में अपडेट करें। यह वेबहुक हस्ताक्षर सत्यापन बाईपास भेद्यता को ठीक करता है। यदि आप तुरंत अपडेट नहीं कर सकते हैं, तो सुनिश्चित करें कि आप `tunnel.allowNgrokFreeTierLoopbackBypass` विकल्प को अक्षम कर दें।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-29606 is a medium-severity vulnerability in OpenClaw versions 0–2026.2.14 that allows unauthenticated attackers to bypass webhook signature verification, potentially leading to unauthorized event handling.
You are affected if you are using OpenClaw versions 0–2026.2.14 and have the tunnel.allowNgrokFreeTierLoopbackBypass option enabled.
Upgrade OpenClaw to version 2026.2.14 or later. Alternatively, disable the tunnel.allowNgrokFreeTierLoopbackBypass option.
There is currently no evidence of active exploitation in the wild, but the vulnerability is considered exploitable.
Refer to the official OpenClaw security advisory for detailed information and updates: [https://openclaw.example/security/advisories/CVE-2026-29606](https://openclaw.example/security/advisories/CVE-2026-29606)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।