PT-2026-22430 · Npm · @Clawdbot/Voice-Call+1
Published
2026-02-17
·
Updated
2026-02-17
CVSS v4.0
8.2
High
| Vector | AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Affected Packages / Versions
This issue affects the optional voice-call plugin only. It is not enabled by default; it only applies to installations where the plugin is installed and enabled.
- Package:
@openclaw/voice-call - Vulnerable versions:
< 2026.2.3 - Patched versions:
>= 2026.2.3
Legacy package name (if you are still using it):
- Package:
@clawdbot/voice-call - Vulnerable versions:
<= 2026.1.24 - Patched versions: none published under this package name; migrate to
@openclaw/voice-call
Summary
In certain reverse-proxy / forwarding setups, webhook verification can be bypassed if untrusted forwarded headers are accepted.
Impact
An external party may be able to send voice-call webhook requests that are accepted as valid, which can result in spoofed webhook events being processed.
Root Cause
Some deployments implicitly trusted forwarded headers (for example
Forwarded / X-Forwarded-*) when determining request properties used during webhook verification. If those headers are not overwritten by a trusted proxy, a client can supply them directly and influence verification.Resolution
Ignore forwarded headers by default unless explicitly trusted and allowlisted in configuration. Keep any loopback-only development bypass restricted to local development only. Upgrade to a patched version.
If you cannot upgrade immediately, strip
Forwarded and X-Forwarded-* headers at the edge so clients cannot supply them directly.Fix Commit(s)
a749db9820eb6d6224032a5a34223d286d2dcc2f
Credits
Thanks
@0x5t for reporting.Fix
Authentication Bypass by Spoofing
Improper Authentication
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
@Clawdbot/Voice-Call
@Openclaw/Voice-Call