Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

GHSA-4rj2-gpmh-qq5x

OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)
Back to all
CVE

GHSA-4rj2-gpmh-qq5x

OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)

Summary

An authentication bypass in the optional voice-call extension/plugin allowed unapproved or anonymous callers to reach the voice-call agent when inbound policy was set to allowlist or pairing.

Deployments that do not install/enable the voice-call extension are not affected.

Affected Packages / Versions

  • openclaw (npm): <= 2026.2.1
  • Fixed in: >= 2026.2.2

Details

In affected versions (for example 2026.2.1), the inbound allowlist check in extensions/voice-call/src/manager.ts used suffix-based matching and accepted empty caller IDs after normalization.

This allowed two bypasses:

  1. Missing/empty from values normalized to an empty string, which caused the allowlist predicate to evaluate as allowed.
  2. Suffix-based matching meant any caller number whose digits ended with an allowlisted number would be accepted.

Proof Of Concept

  1. Configure the voice-call extension with inboundPolicy: allowlist and allowFrom: ["+15550001234"].
  2. Place/trigger an inbound call with missing/empty caller ID (provider-dependent; for example anonymous/restricted caller). The call is accepted.
  3. Place a call from a number whose E.164 digits end with 15550001234 (for example +99915550001234). The call is accepted.

Impact

Only operators who install/enable the optional voice-call extension and use inboundPolicy=allowlist or pairing could have inbound access controls bypassed, potentially allowing unauthorized callers to reach auto-response and tool execution.

Fix

The fix hardens inbound policy handling:

  • Reject inbound calls when caller ID is missing.
  • Require strict equality when comparing normalized caller IDs against the allowlist (no suffix/prefix matching).
  • Add regression tests for missing caller ID, anonymous caller ID, and suffix-collision cases.

Fix commit(s):

  • f8dfd034f5d9235c5485f492a9e4ccc114e97fdb

Thanks @simecek for reporting.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
C
H
U
9.4
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Related Resources

No items found.

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-4rj2-gpmh-qq5x, https://github.com/openclaw/openclaw/commit/f8dfd034f5d9235c5485f492a9e4ccc114e97fdb, https://github.com/openclaw/openclaw, https://github.com/openclaw/openclaw/releases/tag/v2026.2.2

Severity

9.4

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.4
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
0,2026.1.29-beta.1,2026.1.27-beta.1,2026.1.14-1
Fix Available
2026.2.2

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading