CVE-2026-28465: OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations
(updated )
In certain reverse-proxy / forwarding setups, webhook verification can be bypassed if untrusted forwarded headers are accepted.
References
- github.com/advisories/GHSA-3m3q-x3gj-f79x
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/a749db9820eb6d6224032a5a34223d286d2dcc2f
- github.com/openclaw/openclaw/releases/tag/v2026.2.3
- github.com/openclaw/openclaw/security/advisories/GHSA-3m3q-x3gj-f79x
- nvd.nist.gov/vuln/detail/CVE-2026-28465
- www.vulncheck.com/advisories/openclaw-voice-call-webhook-verification-bypass-via-forwarded-headers
Code Behaviors & Features
Detect and mitigate CVE-2026-28465 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →