Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.2

OpenClaw Voice-Call Plugin Unsecured Webhook Verification

CVE-2026-28465 GHSA-3m3q-x3gj-f79x GHSA-3m3q-x3gj-f79x
Summary

Old versions of the OpenClaw voice-call plugin don't properly check incoming webhooks, allowing hackers to fake events and gain unauthorized access. This can lead to unauthorized actions, such as making unwanted calls or sending sensitive information. Update to version 2026.2.3 or later to fix this issue.

What to do
  • Update openclaw voice-call to version 2026.2.3.
  • Update openclaw @openclaw/voice-call to version 2026.2.3.
Affected software
VendorProductAffected versionsFix available
openclaw voice-call <= 2026.2.3 2026.2.3
clawdbot voice-call <= 2026.1.24
openclaw openclaw <= 2026.2.3
openclaw @openclaw/voice-call <= 2026.2.3 2026.2.3
clawdbot @clawdbot/voice-call <= 2026.1.24
Original title
OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untru...
Original description
OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.
nvd CVSS3.1 5.9
nvd CVSS4.0 8.2
Vulnerability type
CWE-345
CWE-287 Improper Authentication
CWE-290
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026