High severityNVD Advisory· Published Mar 5, 2026· Updated Mar 11, 2026
OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers
CVE-2026-28465
Description
OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@openclaw/voice-callnpm | < 2026.2.3 | 2026.2.3 |
@clawdbot/voice-callnpm | <= 2026.1.24 | — |
Affected products
3- ghsa-coords2 versions
<= 2026.1.24+ 1 more
- (no CPE)range: <= 2026.1.24
- (no CPE)range: < 2026.2.3
- OpenClaw/voice-callv5Range: 0
Patches
Vulnerability mechanics
References
6- github.com/openclaw/openclaw/commit/a749db9820eb6d6224032a5a34223d286d2dcc2fghsapatchWEB
- github.com/advisories/GHSA-3m3q-x3gj-f79xghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-3m3q-x3gj-f79xghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-28465ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-voice-call-webhook-verification-bypass-via-forwarded-headersghsathird-party-advisoryWEB
- github.com/openclaw/openclaw/releases/tag/v2026.2.3ghsaWEB
News mentions
0No linked articles in our index yet.