This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: OpenClaw < 2026.2.1 has a critical **Inbound Allowlist Policy Bypass**. π **Consequences**: Attackers can bypass access controls via voice-call extensions, leading to unauthorized remote access.
Q2Root Cause? (CWE/Flaw)
π‘οΈ **Root Cause**: Flaw in **Inbound Allowlist Policy Validation**. Specifically, it allows bypass via **Empty Caller ID** and **Suffix Matching** logic errors. (CWE not specified in data).
Q3Who is affected? (Versions/Components)
π₯ **Affected**: **OpenClaw** (Open-source AI Assistant). π¦ **Versions**: All versions **before 2026.2.1**. π’ **Vendor**: OpenClaw.
π§ͺ **Public Exp?**: No specific PoC code provided in data. π’ **Advisories**: VulnCheck and GitHub Security Advisory (GHSA-4rj2-gpmh-qq5x) confirm the flaw exists.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for **OpenClaw** installations. π **Focus**: Check **voice-call extensions** for allowlist policy configurations. π **Version**: Verify if version is < 2026.2.1.
Q8Is it fixed officially? (Patch/Mitigation)
β **Fixed?**: **YES**. π οΈ **Patch**: Version **2026.2.1** and later. π **Commit**: See GitHub commit f8dfd034f5d9235c5485f492a9e4ccc114e97fdb.
Q9What if no patch? (Workaround)
π§ **No Patch?**: Mitigate by restricting **inbound voice-call extensions**. π« **Block**: Empty Caller IDs if possible. π **Isolate**: Limit network access to the service until patched.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: **HIGH**. π **CVSS**: High severity (C:H, I:H). β³ **Action**: Patch immediately to 2026.2.1+ to prevent remote bypass attacks.