Skip to content

[Security] Telnyx webhook signature validation also conditionally disabled #29

Open
Open
[Security] Telnyx webhook signature validation also conditionally disabled#29
@hhhashexe

Description

@hhhashexe
hhhashexe
opened on Mar 19, 2026

Description

Same pattern as Twilio (#19) — the Telnyx webhook handler at src/app/api/webhooks/telnyx/route.ts conditionally skips validation:

if (process.env.TELNYX_PUBLIC_KEY) {
  const valid = provider.validateWebhook(rawBody, headers, "");
  if (!valid) {
    return NextResponse.json({ error: "Invalid signature" }, { status: 403 });
  }
}

If TELNYX_PUBLIC_KEY is not set in the environment, any request is accepted.

Note

In my earlier testing, the production endpoint DID validate signatures (returned {"error":"Invalid signature"}), so the env var IS set in production. But this is a code-level issue — if the env var is ever removed or misconfigured, validation silently disappears.

Fix

Same as #19 — always validate, reject if key is missing:

if (!process.env.TELNYX_PUBLIC_KEY) {
  return NextResponse.json({ error: "Webhook not configured" }, { status: 500 });
}

Severity

🟡 Medium

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions