CVE-2026-28465 HIGH

CVE-2026-28465: OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers

Vendor Openclaw
Product voice-call
Weakness CWE-290
Published March 5, 2026
Last update March 11, 2026

CVSS base score

8.2/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.

Key dates

02Disclosure timeline

March 5, 2026 CVE published
March 11, 2026 Record updated