Improper Authentication Vulnerability in OpenClaw Voice-Call Plugin
CVE-2026-28465

8.2HIGH

Key Information:

Vendor: Openclaw
Status: Voice-call
Vendor: CVE Published:; 5 March 2026

What is CVE-2026-28465?

The OpenClaw Voice-Call Plugin, prior to version 2026.2.3, suffers from an improper authentication vulnerability that permits remote attackers to circumvent verification processes associated with webhook events. This can be accomplished by manipulating the Forwarded or X-Forwarded-* headers within configurations that assume these headers are trustworthy. As a result, attackers can spoof webhook events, which poses significant security risks to applications relying on this plugin.

Affected Version(s)

voice-call 0 < 2026.2.3

References

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

https://github.com/openclaw/openclaw/commit/a749db9820eb6...

patch

https://www.vulncheck.com/advisories/openclaw-voice-call-...

third-party-advisory

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 5, 2026
Vulnerability Reserved
Feb 27, 2026

Credit

@0x5t

CVE-2026-28465 Data

JSON

Openclaw

What is CVE-2026-28465?

Affected Version(s)

References

CVSS V4

Timeline

Credit