CVE-2026-28465

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-28465

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28465.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-28465

Aliases

GHSA-3m3q-x3gj-f79x

Published

2026-03-05T22:16:19.593Z

Modified

2026-03-15T14:54:25.513266Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.

References

Affected packages

Git / github.com/openclaw/openclaw

Affected ranges

Type

GIT

Repo

https://github.com/openclaw/openclaw

Events

Introduced

Fixed

54ddbc466085b42526983f6c90d152fdd7bf365f

Fixed

a749db9820eb6d6224032a5a34223d286d2dcc2f

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2026.2.3"
        }
    ]
}

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v1.*

v1.0.4

v1.1.0

v1.2.0

v1.2.1

v1.2.2

v1.3.0

v2.*

v2.0.0-beta1

v2.0.0-beta2

v2.0.0-beta3

v2.0.0-beta4

v2.0.0-beta5

v2026.*

v2026.1.10

v2026.1.11

v2026.1.11-1

v2026.1.11-2

v2026.1.11-3

v2026.1.12

v2026.1.12-2

v2026.1.13

v2026.1.14-1

v2026.1.15

v2026.1.16-2

v2026.1.20

v2026.1.21

v2026.1.22

v2026.1.23

v2026.1.24

v2026.1.24-1

v2026.1.29

v2026.1.30

v2026.1.5

v2026.1.5-1

v2026.1.5-2

v2026.1.5-3

v2026.1.8

v2026.1.9

v2026.2.1

v2026.2.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28465.json"