CVE-2026-28465 is an authentication bypass vulnerability classified under CWE-290, affecting OpenClaw's voice-call plugin versions prior to 2026.2.3. The vulnerability stems from improper authentication in webhook verification mechanisms, specifically in environments where reverse proxies forward client headers such as Forwarded or X-Forwarded-* headers. These headers are often trusted implicitly by backend services to determine the original client IP or other request metadata. However, if an attacker can manipulate these headers, they can spoof webhook events, bypassing authentication checks that rely on these headers for trust decisions. This allows remote attackers to send malicious webhook events that appear legitimate to the OpenClaw voice-call plugin. The CVSS v4.0 score of 8.2 reflects a high severity, with network attack vector, high attack complexity, no privileges required, no user interaction, and a significant impact on integrity. The vulnerability does not affect confidentiality or availability directly but can lead to unauthorized command execution or state changes within the voice-call system. No patches are linked yet, and no known exploits have been observed in the wild, but the risk remains significant due to the nature of webhook-based integrations and widespread use of reverse proxies in modern architectures.

The primary impact of CVE-2026-28465 is on the integrity of the OpenClaw voice-call system. Attackers who exploit this vulnerability can spoof webhook events, potentially triggering unauthorized actions such as fraudulent call initiations, manipulation of call states, or injection of malicious commands. This can lead to operational disruptions, unauthorized access to voice-call features, or misuse of telephony resources. Organizations relying on OpenClaw voice-call for critical communications, customer interactions, or automated workflows may face service integrity issues, reputational damage, and potential financial losses. Since the vulnerability requires no authentication and can be exploited remotely, the attack surface is broad, especially in deployments behind reverse proxies that trust forwarded headers without validation. Although no known exploits are reported, the vulnerability's characteristics make it attractive for attackers targeting telephony infrastructure or voice-based services.

To mitigate CVE-2026-28465, organizations should immediately upgrade OpenClaw voice-call plugins to version 2026.2.3 or later once available. In the interim, administrators should implement strict validation of Forwarded and X-Forwarded-* headers at the reverse proxy level, ensuring that only trusted proxies can set or forward these headers. This can be achieved by configuring proxies to remove or overwrite untrusted headers and by restricting access to webhook endpoints to known IP addresses or networks. Additionally, implementing mutual TLS authentication between proxies and backend services can reduce header spoofing risks. Monitoring webhook traffic for anomalies and enabling detailed logging can help detect potential exploitation attempts. Finally, reviewing and hardening webhook authentication mechanisms to avoid reliance on client-supplied headers for trust decisions is critical for long-term security.