What is the CVSS score of CVE-2026-28446?

CVE-2026-28446 has a CVSS 3.1 base score of 9.4 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.7%.

Which versions of AI / ML are affected by CVE-2026-28446?

OpenClaw voice-call systems in your organization are vulnerable to authentication bypass attacks that could allow unauthorized callers to access restricted resources.. A patch is available.

Is there a public PoC exploit available for CVE-2026-28446?

Yes, a public proof-of-concept exploit is available for CVE-2026-28446. Prioritise patching immediately. EPSS: 0.7%.

AI / ML CVE-2026-28446

CRITICAL

Incorrect Implementation of Authentication Algorithm (CWE-303)

2026-03-05 disclosure@vulncheck.com

GHSA-4rj2-gpmh-qq5x

Authentication Bypass AI / ML Openclaw

9.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

PoC Detected

Mar 11, 2026 - 14:16 vuln.today

Public exploit code

Patch released

Mar 11, 2026 - 14:16 nvd

Patch available

CVE Published

Mar 05, 2026 - 22:16 nvd

CRITICAL 9.4

DescriptionNVD

OpenClaw versions prior to 2026.2.1 with the voice-call extension installed and enabled contain an authentication bypass vulnerability in inbound allowlist policy validation that accepts empty caller IDs and uses suffix-based matching instead of strict equality. Remote attackers can bypass inbound access controls by placing calls with missing caller IDs or numbers ending with allowlisted digits to reach the voice-call agent and execute tools.

AnalysisAI

Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. …

RemediationAI

Within 24 hours: identify all OpenClaw deployments with voice-call extension enabled and assess exposure scope. Within 7 days: apply vendor patch 2026.2.1 or later to all affected systems, prioritizing production environments; if patching is delayed, disable the voice-call extension. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-28446 vulnerability details – vuln.today

Back