Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-28465

OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations
Back to all
CVE

CVE-2026-28465

OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations

Affected Packages / Versions

This issue affects the optional voice-call plugin only. It is not enabled by default; it only applies to installations where the plugin is installed and enabled.

  • Package: @openclaw/voice-call
  • Vulnerable versions: < 2026.2.3
  • Patched versions: >= 2026.2.3

Legacy package name (if you are still using it):

  • Package: @clawdbot/voice-call
  • Vulnerable versions: <= 2026.1.24
  • Patched versions: none published under this package name; migrate to @openclaw/voice-call

Summary

In certain reverse-proxy / forwarding setups, webhook verification can be bypassed if untrusted forwarded headers are accepted.

Impact

An external party may be able to send voice-call webhook requests that are accepted as valid, which can result in spoofed webhook events being processed.

Root Cause

Some deployments implicitly trusted forwarded headers (for example Forwarded / X-Forwarded-*) when determining request properties used during webhook verification. If those headers are not overwritten by a trusted proxy, a client can supply them directly and influence verification.

Resolution

Ignore forwarded headers by default unless explicitly trusted and allowlisted in configuration. Keep any loopback-only development bypass restricted to local development only. Upgrade to a patched version.

If you cannot upgrade immediately, strip Forwarded and X-Forwarded-* headers at the edge so clients cannot supply them directly.

Fix Commit(s)

  • a749db9820eb6d6224032a5a34223d286d2dcc2f

Credits

Thanks @0x5t for reporting.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.2
-
4.0
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
C
H
U
-

Related Resources

No items found.

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-3m3q-x3gj-f79x, https://nvd.nist.gov/vuln/detail/CVE-2026-28465, https://github.com/openclaw/openclaw/commit/a749db9820eb6d6224032a5a34223d286d2dcc2f, https://github.com/openclaw/openclaw, https://github.com/openclaw/openclaw/releases/tag/v2026.2.3, https://www.vulncheck.com/advisories/openclaw-voice-call-webhook-verification-bypass-via-forwarded-headers

Severity

5.9

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
5.9
EPSS Probability
0.00179%
EPSS Percentile
0.39409%
Introduced Version
0
Fix Available
2026.2.3

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading