Home / Vulnerability Intelligence / CVE-2026-29606

CVE-2026-29606 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 5, 2026

OpenClaw - Authentication Bypass

Published: March 5, 2026Updated: March 5, 2026Remote Exploitable

Overview

OpenClaw < 2026.2.14 contains a webhook signature-verification bypass caused by the tunnel.allowNgrokFreeTierLoopbackBypass option enabled in the voice-call extension, letting unauthenticated attackers send forged requests to webhook endpoints, exploit requires explicit enabling of the option.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Unauthenticated attackers can send forged webhook requests, causing unauthorized event handling and potential request flooding.

Mitigation

Update to version 2026.2.14 or later.

References

https://www.vulncheck.com/advisories/openclaw-webhook-signature-verification-bypass-via-ngrok-loopback-compatibility
https://github.com/openclaw/openclaw/commit/ff11d8793b90c52f8d84dae3fbb99307da51b5c9
https://github.com/openclaw/openclaw/security/advisories/GHSA-c37p-4qqg-3p76

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-29606
Severity: Critical
CVSS Score: 9.8
Type: broken_authentication
Status: new

CWE

CWE-306

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H