Description
OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows attackers to mutate in-process callback origin before replay rejection. Attackers with captured valid callbacks for live calls can exploit this to manipulate callback origins during the replay process.
Published: 2026-04-23
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Callback Origin Mutation
Action: Immediate Patch
AI Analysis

Impact

The flaw in OpenClaw’s Plivo voice‑call replay allows an attacker who has captured a legitimate callback to alter the in‑process callback origin before the replay is rejected. This mutation can let the attacker spoof the origin of a callback, potentially interfering with authentication, routing, or other logic that relies on the callback source. The vulnerability is a form of Weakness in Authentication (CWE‑367) and can provide a degree of identity spoofing or unauthorized control over the acting voice call.

Affected Systems

OpenClaw platform, openclaw application, versions earlier than 2026.3.31. Users running any pre‑2026.3.31 release of OpenClaw on Node.js environments are affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.3, indicating moderate severity. The EPSS score of less than 1% suggests a low likelihood of public exploitation at present. It is not listed in the CISA KEV catalog. Attackers would need to have access to a valid callback from an ongoing live call and then replay that callback, modifying its origin. This requires prior capture of a legitimate callback and the ability to send altered replay requests, so the attack vector is considered local to the application context rather than remote. Given the low EPSS value, immediate patch is recommended but the risk is not urgent for all users.

Generated by OpenCVE AI on April 28, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.31 or later, which removes the callback origin mutation issue.
  • If a version upgrade cannot be applied immediately, disable or block Plivo voice‑call replay functionality until a patch is available.
  • Configure the application to enforce strict origin validation, rejecting any replayed callbacks whose origin does not match the original source after the replay window.
  • Monitor system logs for unusual callback replay attempts and investigate any anomalies promptly.

Generated by OpenCVE AI on April 28, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-89r3-6x4j-v7wf OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection
History

Fri, 24 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows attackers to mutate in-process callback origin before replay rejection. Attackers with captured valid callbacks for live calls can exploit this to manipulate callback origins during the replay process.
Title OpenClaw < 2026.3.31 - Callback Origin Mutation in Plivo Voice-call Replay
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-367
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-24T14:28:46.988Z

Reserved: 2026-04-20T14:03:06.200Z

Link: CVE-2026-41337

cve-icon Vulnrichment

Updated: 2026-04-24T14:28:29.436Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T22:16:39.780

Modified: 2026-04-28T18:55:58.307

Link: CVE-2026-41337

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:45:16Z

Weaknesses