Home / Vulnerability Intelligence / CVE-2026-28446

CVE-2026-28446 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 5, 2026

OpenClaw - Authentication Bypass

Published: March 5, 2026Updated: March 5, 2026Remote Exploitable

Overview

OpenClaw < 2026.2.1 with voice-call extension contains an authentication bypass caused by improper inbound allowlist policy validation accepting empty caller IDs and suffix-based matching, letting remote attackers bypass access controls and execute tools.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Remote attackers can bypass inbound access controls to reach voice-call agents and execute tools, potentially compromising system integrity.

Mitigation

Update to version 2026.2.1 or later.

References

https://github.com/openclaw/openclaw/commit/f8dfd034f5d9235c5485f492a9e4ccc114e97fdb
https://github.com/openclaw/openclaw/security/advisories/GHSA-4rj2-gpmh-qq5x
https://www.vulncheck.com/advisories/openclaw-inbound-allowlist-policy-bypass-in-voice-call-extension-via-empty-caller-id

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-28446
Severity: Critical
CVSS Score: 9.8
Type: broken_authentication
Status: new

CWE

CWE-303

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H