Description
OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.
Published: 2026-03-05
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Webhook Verification Bypass
Action: Patch Now
AI Analysis

Impact

OpenClaw's voice‑call plugin versions prior to 2026.2.3 contain an improper authentication flaw in the webhook verification process. The flaw allows remote attackers to bypass verification by supplying forged Forwarded or X‑Forwarded‑* headers, causing the system to accept malicious webhook events. This can lead to unauthorized actions or data exfiltration, representing a case of improper restriction of remote operator control (CWE‑290).

Affected Systems

Vendors: OpenClaw’s voice‑call product. All releases earlier than version 2026.2.3 are affected. Users running these versions should verify the exact build against the vendor’s versioning schema.

Risk and Exploitability

The vulnerability has a high severity with a CVSS score of 8.2 and an EPSS of less than 1%, indicating a low but nonzero risk of exploitation. It is not listed in the CISA KEV catalog. The likely attack vector is via a reverse‑proxy that forwards untrusted Forwarded headers; after successfully spoofing these headers, an attacker can inject arbitrary webhook events. The probability of exploitation is currently low, yet the potential impact justifies immediate remediation for systems exposed to external traffic or managed cloud proxies that may unintentionally forward these headers.

Generated by OpenCVE AI on April 16, 2026 at 04:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OpenClaw voice‑call plugin to version 2026.2.3 or later to apply the vendor‑released fix.
  • Reconfigure reverse proxies to strip or mark Forwarded and X‑Forwarded‑* headers as untrusted so that they are not forwarded to the application.
  • Enforce strict webhook validation by verifying request signatures or source IP addresses and rejecting any payloads lacking proper authentication.
  • If an upgrade is not immediately feasible, implement header filtering rules in network firewalls or application gateways to block untrusted forwarded headers until a patch is applied.

Generated by OpenCVE AI on April 16, 2026 at 04:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3m3q-x3gj-f79x OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations
History

Tue, 10 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-345

Mon, 09 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw openclaw
Weaknesses CWE-290
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw openclaw

Fri, 06 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw voice-call
Vendors & Products Openclaw
Openclaw voice-call

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.
Title OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers
Weaknesses CWE-345
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw Voice-call
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-11T14:58:37.790Z

Reserved: 2026-02-27T19:18:43.159Z

Link: CVE-2026-28465

cve-icon Vulnrichment

Updated: 2026-03-09T17:51:14.093Z

cve-icon NVD

Status : Modified

Published: 2026-03-05T22:16:19.593

Modified: 2026-03-10T18:18:46.653

Link: CVE-2026-28465

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:45:16Z

Weaknesses