CVE-2026-28465

MEDIUM

5.9

Descricao

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.

Detalhes CVE

Pontuacao CVSS v3.15.9

SeveridadeMEDIUM

Vetor CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Vetor de ataqueNETWORK

ComplexidadeHIGH

Privilegios necessariosNONE

Interacao do usuarioNONE

Publicado3/5/2026

Ultima modificacao3/10/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

openclaw:openclaw

Fraquezas (CWE)

CWE-290CWE-290

Referencias

https://github.com/openclaw/openclaw/commit/a749db9820eb6d6224032a5a34223d286d2dcc2f(disclosure@vulncheck.com)

https://github.com/openclaw/openclaw/security/advisories/GHSA-3m3q-x3gj-f79x(disclosure@vulncheck.com)

https://www.vulncheck.com/advisories/openclaw-voice-call-webhook-verification-bypass-via-forwarded-headers(disclosure@vulncheck.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.