CVE-2026-28465

MEDIUM

OpenClaw voice-call <2026.2.3 - Auth Bypass

Title source: llm

Description

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.

References (3)

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-3m3q-x3gj-f79x

[Patch] https://github.com/openclaw/openclaw/commit/a749db9820eb6d6224032a5a34223d286d2dcc2f

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-voice-call-webhook-verification-bypass-via-forwarded-headers

Scores

CVSS v3 5.9

EPSS 0.0013

EPSS Percentile 32.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-290

Status published

Products (3)

clawdbot/voice-call 0npm

openclaw/openclaw < 2026.2.3

openclaw/voice-call 0 - 2026.2.3npm

Published Mar 05, 2026

Tracked Since Mar 06, 2026