CVE-2026-28465

MEDIUM 5.9

OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers

CVSS Score

5.9

EPSS Score

0.0%

EPSS Percentile

0th

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.

CWE	CWE-290
Vendor	openclaw
Product	voice-call
Published	Mar 5, 2026
Last Updated	Mar 11, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw voice-call

Be the first to know when new medium vulnerabilities affecting openclaw voice-call are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

OpenClaw / voice-call

0 < 2026.2.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-3m3q-x3gj-f79x github.com: https://github.com/openclaw/openclaw/commit/a749db9820eb6d6224032a5a34223d286d2dcc2f vulncheck.com: https://www.vulncheck.com/advisories/openclaw-voice-call-webhook-verification-bypass-via-forwarded-headers

Credits

🔍 @0x5t