CVE-2026-28465 | THREATINT

Description

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.

PUBLISHED Reserved 2026-02-27 | Published 2026-03-05 | Updated 2026-03-09 | Assigner VulnCheck

HIGH: 8.2CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

MEDIUM: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Problem types

Insufficient Verification of Data Authenticity

Product status

Default status

unaffected

Any version before 2026.2.3

affected

Credits

@0x5t reporter

References

github.com/...enclaw/security/advisories/GHSA-3m3q-x3gj-f79x (GitHub Security Advisory (GHSA-3m3q-x3gj-f79x)) vendor-advisory

github.com/...ommit/a749db9820eb6d6224032a5a34223d286d2dcc2f (Patch Commit) patch

www.vulncheck.com/...rification-bypass-via-forwarded-headers (VulnCheck Advisory: OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers) third-party-advisory

cve.org (CVE-2026-28465)

nvd.nist.gov (CVE-2026-28465)

Download JSON