CVE-2026-28465

MEDIUM

OpenClaw voice-call <2026.2.3 - Auth Bypass

Title source: llm

Description

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.

References (3)

[Patch] https://github.com/openclaw/openclaw/commit/a749db9820eb6d6224032a5a34223d286d2dcc2f

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-3m3q-x3gj-f79x

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-voice-call-webhook-verification-bypass-via-forwarded-headers

Scores

CVSS v3 5.9

EPSS 0.0002

EPSS Percentile 3.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-345 CWE-290

Status published

Affected Products (3)

openclaw/voice-call < 2026.2.3npm

clawdbot/voice-call npm

openclaw/openclaw < 2026.2.3

Timeline

Published Mar 05, 2026

Tracked Since Mar 06, 2026