CVE-2026-28465 — MEDIUM (5.9)

Q: How severe is CVE-2026-28465?

CVE-2026-28465 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-28465?

Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.

Vulnerability Description

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Openclaw	Openclaw	< 2026.2.3

Related Weaknesses (CWE)

CWE-290

References

https://github.com/openclaw/openclaw/commit/a749db9820eb6d6224032a5a34223d286d2dPatch
https://github.com/openclaw/openclaw/security/advisories/GHSA-3m3q-x3gj-f79xVendor Advisory
https://www.vulncheck.com/advisories/openclaw-voice-call-webhook-verification-byThird Party Advisory

FAQ

What is CVE-2026-28465?

CVE-2026-28465 is a vulnerability with a CVSS score of 5.9 (MEDIUM). OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untruste...

How severe is CVE-2026-28465?

CVE-2026-28465 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-28465?

Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.