top of page
perceptive_background_267k.jpg

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to b…

Published:

4 maart 2026 om 23:00:00

Alert date:

5 maart 2026 om 23:13:13

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Identity & Access

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification. Remote attackers can bypass verification by supplying untrusted forwarded headers. The vulnerability allows attackers to spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers. This affects webhook verification mechanisms and can lead to unauthorized access.

Technical details

Mitigation steps:

Affected products:

OpenClaw voice-call plugin

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-28465
https://github.com/openclaw/openclaw/commit/a749db9820eb6d6224032a5a34223d286d2dcc2f
https://github.com/openclaw/openclaw/security/advisories/GHSA-3m3q-x3gj-f79x
https://www.vulncheck.com/advisories/openclaw-voice-call-webhook-verification-bypass-via-forwarded-headers

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page