CVE-2026-28465 is a vulnerability identified in OpenClaw's voice-call plugin versions before 2026.2.3, caused by insufficient verification of data authenticity in webhook event processing. The core issue lies in the plugin's improper authentication mechanism that relies on HTTP headers such as Forwarded or X-Forwarded-* to verify webhook requests. In many reverse-proxy setups, these headers are trusted implicitly to identify the original client IP or request source. However, an attacker can manipulate these headers to spoof webhook events, bypassing the intended verification process. This flaw allows remote, unauthenticated attackers to send crafted webhook requests that the system accepts as legitimate, potentially triggering unauthorized actions or commands within the voice-call plugin environment. The vulnerability does not require user interaction and can be exploited over the network, but it has a higher attack complexity due to the need to exploit specific reverse proxy configurations. The CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N) reflects network attack vector, high attack complexity, partial attack requirements, no privileges or user interaction needed, and high impact on integrity. While no public exploits are currently known, the vulnerability poses a significant risk to the integrity of webhook-triggered operations and could lead to unauthorized command execution or denial of service if exploited. The issue underscores the importance of robust webhook authentication mechanisms that do not rely solely on forwarded headers, especially in environments using reverse proxies.

The vulnerability can allow attackers to spoof webhook events, leading to unauthorized execution of webhook-triggered actions within the OpenClaw voice-call plugin. This can compromise the integrity of the system by allowing malicious commands or data injection, potentially disrupting voice communication services or enabling further attacks within the network. Organizations relying on OpenClaw voice-call for critical communications may experience service interruptions, data manipulation, or unauthorized access to internal processes. The lack of authentication and user interaction requirements increases the risk of automated exploitation attempts. Although no known exploits exist yet, the vulnerability's presence in widely deployed voice communication infrastructure could have cascading effects on business operations, customer trust, and regulatory compliance. The impact is primarily on integrity and availability, with no direct confidentiality loss indicated. The exploitation complexity is high, but the network-exploitable nature and lack of required privileges make it a serious threat that should be addressed promptly.

1. Upgrade OpenClaw voice-call plugin to version 2026.2.3 or later, where the vulnerability is fixed. 2. Review and harden reverse proxy configurations to avoid implicit trust of Forwarded and X-Forwarded-* headers; implement strict validation or remove reliance on these headers for authentication. 3. Implement additional webhook verification mechanisms such as cryptographic signatures (e.g., HMAC) to ensure webhook authenticity regardless of proxy headers. 4. Monitor webhook traffic for anomalous or unexpected events that could indicate spoofing attempts. 5. Restrict network access to webhook endpoints to trusted sources only, using IP whitelisting or VPNs. 6. Conduct regular security audits and penetration testing focused on webhook and proxy configurations. 7. Educate development and operations teams about the risks of trusting forwarded headers and best practices for webhook security. 8. Employ logging and alerting on suspicious header manipulations or failed verification attempts to enable rapid incident response.