@openclaw/voice-call 2026.2.22 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the @openclaw/voice-call package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Replay Attack @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Replay Attack due to improper derivation of the replay key in the `webhook-security.ts` process. An attacker can bypass replay protection and submit multiple authenticated requests by modifying the query string of the verification URL without altering the signature. How to fix Replay Attack? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
M Incorrect Authorization @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Incorrect Authorization via the webhook event deduplication. An attacker can trigger duplicate or stale call-state transitions by replaying Twilio webhook events with randomized event IDs. How to fix Incorrect Authorization? Upgrade `@openclaw/voice-call` to version 2026.2.23 or higher.	<2026.2.23
M Incorrect Authorization @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Incorrect Authorization in the group authorization process when `groupPolicy=allowlist` and `dmPolicy=pairing` are configured and pairing-store entries are present. An attacker can gain unauthorized group access by leveraging DM-paired identities to bypass group allowlist checks. This is only exploitable if both `groupPolicy=allowlist` and `dmPolicy=pairing` are enabled and pairing-store entries exist. How to fix Incorrect Authorization? Upgrade `@openclaw/voice-call` to version 2026.3.1 or higher.	<2026.3.1

Vulnerability

Vulnerable Version

Replay Attack

@openclaw/voice-call is an OpenClaw voice-call plugin

Affected versions of this package are vulnerable to Replay Attack due to improper derivation of the replay key in the webhook-security.ts process. An attacker can bypass replay protection and submit multiple authenticated requests by modifying the query string of the verification URL without altering the signature.

How to fix Replay Attack?

A fix was pushed into the master branch but not yet published.

>=0.0.0

Incorrect Authorization

@openclaw/voice-call is an OpenClaw voice-call plugin

Affected versions of this package are vulnerable to Incorrect Authorization via the webhook event deduplication. An attacker can trigger duplicate or stale call-state transitions by replaying Twilio webhook events with randomized event IDs.

How to fix Incorrect Authorization?

Upgrade @openclaw/voice-call to version 2026.2.23 or higher.

<2026.2.23

Incorrect Authorization

@openclaw/voice-call is an OpenClaw voice-call plugin

Affected versions of this package are vulnerable to Incorrect Authorization in the group authorization process when groupPolicy=allowlist and dmPolicy=pairing are configured and pairing-store entries are present. An attacker can gain unauthorized group access by leveraging DM-paired identities to bypass group allowlist checks. This is only exploitable if both groupPolicy=allowlist and dmPolicy=pairing are enabled and pairing-store entries exist.

How to fix Incorrect Authorization?

Upgrade @openclaw/voice-call to version 2026.3.1 or higher.

<2026.3.1

@openclaw/voice-call@2026.2.22 vulnerabilities

OpenClaw voice-call plugin

latest version

first published

latest version published

Direct Vulnerabilities

Fix vulnerabilities automatically