Vulnerability Details CVE-2026-28446
OpenClaw versions prior to 2026.2.1 with the voice-call extension installed and enabled contain an authentication bypass vulnerability in inbound allowlist policy validation that accepts empty caller IDs and uses suffix-based matching instead of strict equality. Remote attackers can bypass inbound access controls by placing calls with missing caller IDs or numbers ending with allowlisted digits to reach the voice-call agent and execute tools.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 49.4%
CVSS Severity
CVSS v3 Score 9.4