CVE-2026-28446
CRITICAL
9,2
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
CRITICAL
9,4
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: low
Description
AI Translation Available
OpenClaw versions prior to 2026.2.1 with the voice-call extension installed and enabled contain an authentication bypass vulnerability in inbound allowlist policy validation that accepts empty caller IDs and uses suffix-based matching instead of strict equality. Remote attackers can bypass inbound access controls by placing calls with missing caller IDs or numbers ending with allowlisted digits to reach the voice-call agent and execute tools.
EPSS (Exploit Prediction Scoring System)
Trend Analysis
EPSS (Exploit Prediction Scoring System)
Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.
EPSS Score
0,0026
Percentile
0,5th
Updated
EPSS Score Trend (Last 10 Days)
303
Incorrect Implementation of Authentication Algorithm
DraftCommon Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Bypass Protection Mechanism
Applicable Platforms
All platforms may be affected
Application
Openclaw by Openclaw
Version Range Affected
To
2026.2.2
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://github.com/openclaw/openclaw/commit/f8dfd034f5d9235c5485f492a9e4ccc114e…
https://github.com/openclaw/openclaw/security/advisories/GHSA-4rj2-gpmh-qq5x
https://www.vulncheck.com/advisories/openclaw-inbound-allowlist-policy-bypass-i…