CVE-2026-28465
OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations
描述
## Affected Packages / Versions This issue affects the optional voice-call plugin only. It is not enabled by default; it only applies to installations where the plugin is installed and enabled. - Package: `@openclaw/voice-call` - Vulnerable versions: `< 2026.2.3` - Patched versions: `>= 2026.2.3` Legacy package name (if you are still using it): - Package: `@clawdbot/voice-call` - Vulnerable versions: `<= 2026.1.24` - Patched versions: none published under this package name; migrate to `@openclaw/voice-call` ## Summary In certain reverse-proxy / forwarding setups, webhook verification can be bypassed if untrusted forwarded headers are accepted. ## Impact An external party may be able to send voice-call webhook requests that are accepted as valid, which can result in spoofed webhook events being processed. ## Root Cause Some deployments implicitly trusted forwarded headers (for example `Forwarded` / `X-Forwarded-*`) when determining request properties used during webhook verification. If those headers are not overwritten by a trusted proxy, a client can supply them directly and influence verification. ## Resolution Ignore forwarded headers by default unless explicitly trusted and allowlisted in configuration. Keep any loopback-only development bypass restricted to local development only. Upgrade to a patched version. If you cannot upgrade immediately, strip `Forwarded` and `X-Forwarded-*` headers at the edge so clients cannot supply them directly. ## Fix Commit(s) - `a749db9820eb6d6224032a5a34223d286d2dcc2f` ## Credits Thanks `@0x5t` for reporting.
如何修補 CVE-2026-28465
要修補 CVE-2026-28465,請將受影響套件升級到下列已修補版本。
- —未列出修補版本
- —升級至 2026.2.3 或更新版本
CVE-2026-28465 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。