CVE-2026-28465

Name of the Vulnerable Software and Affected Versions OpenClaw voice-call plugin versions prior to 2026.2.3 @clawdbot/voice-call versions through 2026.1.24

Description The voice-call plugin contains a flaw in webhook verification that allows remote attackers to bypass authentication by providing untrusted forwarded headers. Specifically, the issue arises when deployments implicitly trust forwarded headers such as Forwarded or X-Forwarded-*, enabling attackers to manipulate these headers and spoof webhook events. This can occur in reverse-proxy configurations where these headers are not overwritten by a trusted proxy. The root cause is the acceptance of untrusted forwarded headers during webhook verification.

Recommendations Versions prior to 2026.2.3 should be upgraded to version 2026.2.3 or later. Versions through 2026.1.24 should be migrated to the @openclaw/voice-call package and upgraded to version 2026.2.3 or later. If an immediate upgrade is not possible, remove Forwarded and X-Forwarded-* headers at the network edge to prevent clients from directly supplying them.