Programming & Development
2
UPVOTE
dev.to

CVE-2026-28446: The OpenClaw Voice RCE That Makes 42,000 AI Instances Remotely Exploitable

CVSS Score: 9.8 CRITICAL CVE-2026-28446 was published today. It affects OpenClaw with the voice-call extension installed and enabled. It is remotely exploitable without authentication. For context: this is the third critical CVE from the OpenClaw platform in under 60 days. Let's talk about what this means and why the pattern matters more than the individual vulnerability. The CVE-2026-28446 Breakdown OpenClaw's voice-call extension processes audio input through a transcription pipeline before routing it to the AI backend. CVE-2026-28446 is a pre-authentication remote code execution vulnerability in that pipeline — versions prior to 2026.2.1. No valid session required. No authentication bypass needed. An attacker sends a crafted audio payload to an exposed OpenClaw instance and gets shell access. CVSS 9.8 means: network-accessible, no privileges needed, no user interaction, full compromise. The OpenClaw CVE Timeline (60 Days) Date CVE CVSS Descrip
DC

DEV Community

19d ago
2 0

Discussion

Say something first

It all starts with you—share your thoughts now.

No comments yet.

Be the first to share your take and keep the conversation moving.

Join the conversation

Log in or sign up to add your comment and participate in the discussion!

Log In Sign Up

UPVOTERS

Community appreciation

See who found this content valuable and showed their support.

anna_theodorou873

Anna Theodorou

Anna TheodorouUpvoted 19d ago1 comments · 46 shares
sophie.weber

Sophie Weber

Sophie WeberUpvoted 19d ago9 comments · 115 shares

RELATED CONTENT

Continue exploring

Discover more content that aligns with your interests and this post.

dev.to
I open-sourced my SaaS starter — here's the part I didn't

I've started the same SaaS project maybe a dozen times. Workspaces. Members. Roles. Billing webhooks. The "did this email actually verify or did Stripe fire th…
DC

DEV Community

3h ago
0
dev.to
AI won’t save a product that was never composable

AI won't save a product that was never composable Most product teams shipping AI right now are following roughly the same playbook. A chat sidebar. A summar…
DC

DEV Community

16h ago
0
dev.to
Mastering Your Heartbeat: Architecting a High-Frequency Health …

Have you ever wondered how wearable devices manage the massive deluge of data coming from your body every second? We are talking about high-frequency health da…
DC

DEV Community

1d ago
0
dev.to
Why your fixed header disappears in Puppeteer fullPage screensh…

I spent two evenings debugging this. Sharing so you don't have to. The problem When you call page. screenshot({ fullPage: true }) on a site with a…
DC

DEV Community

2d ago
0
dev.to
A Practical Guide to Building a Vision AI Model Serving Pipelin…

This article is based on a VAIaaS (Vision AI as a Service) project we developed for production deployment. I’ll share our experience building a Vision AI model…
Daan Sanchez

Daan Sanchez

2d ago
0
dev.to
Your Phone as a Terminal: One Command, One QR Code, No SSH Clie…

It happens a few times a year. I'm away from my laptop, a deploy is stuck, and I want to tail a log or restart a service. The options all have friction. SSH ap…
DC

DEV Community

2d ago
0

Still curious?

See more related posts

Keep the inspiration flowing with fresh submissions and trending finds from the community.

View Latest