GHSA-c37p-4qqg-3p76

Suggest an improvement
Source
https://github.com/advisories/GHSA-c37p-4qqg-3p76
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-c37p-4qqg-3p76/GHSA-c37p-4qqg-3p76.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-c37p-4qqg-3p76
Published
2026-02-18T00:54:48Z
Modified
2026-02-18T01:44:42.264804Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS Calculator
Summary
OpenClaw Twilio voice-call webhook auth bypass when ngrok loopback compatibility is enabled
Details

Summary

A Twilio webhook signature-verification bypass in the voice-call extension could allow unauthenticated webhook requests when a specific ngrok free-tier compatibility option is enabled.

Impact

This issue is limited to configurations that explicitly enable and expose the voice-call webhook endpoint.

Not affected by default: - The voice-call extension is optional and disabled by default. - The bypass only applied when tunnel.allowNgrokFreeTierLoopbackBypass was explicitly enabled. - Exploitation required the webhook to be reachable (typically via a public ngrok URL during development).

Worst case (when exposed and the option was enabled): - An external attacker could send forged requests to the publicly reachable webhook endpoint that would be accepted without a valid X-Twilio-Signature. - This could result in unauthorized webhook event handling (integrity) and request flooding (availability).

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.2.13 (latest published as of 2026-02-14)
  • Patched versions: >= 2026.2.14 (planned next release; pending publish)

Fix

allowNgrokFreeTierLoopbackBypass no longer bypasses signature verification. It only enables trusting forwarded headers on loopback so the public ngrok URL can be reconstructed for correct signature validation.

Fix commit(s): - ff11d8793b90c52f8d84dae3fbb99307da51b5c9

Thanks @p80n-sec for reporting.

Database specific 
{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-02-18T00:54:48Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-306"
    ]
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.2.14

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-c37p-4qqg-3p76/GHSA-c37p-4qqg-3p76.json"