VYPR
High severityNVD Advisory· Published Mar 5, 2026· Updated Mar 11, 2026

OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers

CVE-2026-28465

Description

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@openclaw/voice-callnpm
< 2026.2.32026.2.3
@clawdbot/voice-callnpm
<= 2026.1.24

Affected products

3

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.