CVE-2026-28446: The OpenClaw Voice RCE That Makes 42,000 AI Instances Remotely Exploitable

CVSS Score: 9.8 CRITICAL CVE-2026-28446 was published today. It affects OpenClaw with the voice-call extension installed and enabled. It is remotely exploitable without authentication. For context: this is the third critical CVE from the OpenClaw platform in under 60 days. Let's talk about what this means and why the pattern matters more than the individual vulnerability. The CVE-2026-28446 Breakdown OpenClaw's voice-call extension processes audio input through a transcription pipeline before routing it to the AI backend. CVE-2026-28446 is a pre-authentication remote code execution vulnerability in that pipeline — versions prior to 2026.2.1. No valid session required. No authentication bypass needed. An attacker sends a crafted audio payload to an exposed OpenClaw instance and gets shell access. CVSS 9.8 means: network-accessible, no privileges needed, no user interaction, full compromise. The OpenClaw CVE Timeline (60 Days) Date CVE CVSS Description Jan 2026 CVE-2026-25253 8.8 WebSock