GHSA-3m3q-x3gj-f79x: OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations

February 17, 2026

In certain reverse-proxy / forwarding setups, webhook verification can be bypassed if untrusted forwarded headers are accepted.

References

github.com/advisories/GHSA-3m3q-x3gj-f79x
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/a749db9820eb6d6224032a5a34223d286d2dcc2f
github.com/openclaw/openclaw/releases/tag/v2026.2.3
github.com/openclaw/openclaw/security/advisories/GHSA-3m3q-x3gj-f79x

Code Behaviors & Features

Detect and mitigate GHSA-3m3q-x3gj-f79x with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →