CVE-2026-28465

Sažetak

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.

Reference

https://github.com/openclaw/openclaw/commit/a749db9820eb6d6224032a5a34223d286d2dcc2f
https://github.com/openclaw/openclaw/security/advisories/GHSA-3m3q-x3gj-f79x
https://www.vulncheck.com/advisories/openclaw-voice-call-webhook-verification-bypass-via-forwarded-headers

CVSS

Base:	5.9
Impact:	3.6
Exploitability:	2.2

Pristup

Vektor	Složenost	Autentikacija
NETWORK	HIGH	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	HIGH	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Zadnje važnije ažuriranje

10-03-2026 - 18:18

Objavljeno

05-03-2026 - 22:16