CVE-2026-28465 Overview
OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability (CWE-345: Insufficient Verification of Data Authenticity) in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.
Critical Impact
Remote attackers can bypass webhook verification controls and spoof webhook events, potentially leading to unauthorized actions being triggered through the voice-call plugin without proper authentication.
Affected Products
- OpenClaw voice-call plugin versions prior to 2026.2.3
- Deployments using reverse-proxy configurations that trust forwarding headers
- Environments with ngrok or similar tunneling services
Discovery Timeline
- 2026-03-05 - CVE CVE-2026-28465 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28465
Vulnerability Analysis
This vulnerability exists in the webhook verification mechanism of OpenClaw's voice-call plugin. The root issue stems from the plugin's improper handling of HTTP forwarding headers (Forwarded, X-Forwarded-Host, X-Forwarded-Proto, etc.) during webhook URL reconstruction and validation.
When the voice-call plugin receives incoming webhook requests, it attempts to verify the authenticity of these requests to prevent unauthorized webhook event spoofing. However, versions prior to 2026.2.3 do not properly validate or restrict the acceptance of forwarding headers, allowing attackers to inject arbitrary values.
In reverse-proxy configurations commonly used in production environments, the application implicitly trusted these headers without verifying they originated from a legitimate proxy. This trust assumption creates an authentication bypass where attackers can manipulate the perceived origin of webhook requests.
Root Cause
The vulnerability is rooted in insufficient verification of data authenticity (CWE-345). The webhook verification logic relied on forwarding headers for URL reconstruction without implementing a hostname allowlist or requiring explicit trust configuration. The legacy allowNgrokFreeTier configuration option compounded this issue by enabling permissive header trust without proper security controls.
Attack Vector
The attack is network-based and can be executed remotely. An attacker can craft malicious HTTP requests to the webhook endpoint with spoofed Forwarded or X-Forwarded-* headers. By manipulating these headers, the attacker can:
- Bypass webhook origin verification checks
- Spoof the apparent source of webhook events
- Trigger unauthorized voice-call actions or state changes
- Potentially chain with other vulnerabilities for broader impact
The attack requires the target deployment to use a reverse-proxy configuration that passes through forwarding headers to the application.
// Security patch in extensions/voice-call/src/config.ts
// Source: https://github.com/openclaw/openclaw/commit/a749db9820eb6d6224032a5a34223d286d2dcc2f
* will be allowed only for loopback requests (ngrok local agent).
*/
allowNgrokFreeTierLoopbackBypass: z.boolean().default(false),
- /**
- * Legacy ngrok free tier compatibility mode (deprecated).
- * Use allowNgrokFreeTierLoopbackBypass instead.
- */
- allowNgrokFreeTier: z.boolean().optional(),
})
.strict()
.default({ provider: "none", allowNgrokFreeTierLoopbackBypass: false });
export type VoiceCallTunnelConfig = z.infer<typeof VoiceCallTunnelConfigSchema>;
+// -----------------------------------------------------------------------------
+// Webhook Security Configuration
+// -----------------------------------------------------------------------------
+
+export const VoiceCallWebhookSecurityConfigSchema = z
+ .object({
+ /**
+ * Allowed hostnames for webhook URL reconstruction.
+ * Only these hosts are accepted from forwarding headers.
+ */
+ allowedHosts: z.array(z.string().min(1)).default([]),
+ /**
+ * Trust X-Forwarded-* headers without a hostname allowlist.
+ * WARNING: Only enable if you trust your proxy configuration.
+ */
+ trustForwardingHeaders: z.boolean().default(false),
+ /**
Detection Methods for CVE-2026-28465
Indicators of Compromise
- Unexpected webhook events triggered without corresponding legitimate source actions
- Log entries showing webhook requests with suspicious or unexpected X-Forwarded-* header values
- Anomalous voice-call plugin activity patterns not matching normal operational baselines
- HTTP requests to webhook endpoints containing manually crafted forwarding headers from external IP addresses
Detection Strategies
- Monitor incoming webhook requests for inconsistent or unexpected forwarding header patterns
- Implement logging of all Forwarded, X-Forwarded-Host, X-Forwarded-Proto, and X-Forwarded-For header values at the application layer
- Compare forwarding header values against known legitimate proxy server addresses
- Alert on webhook verification failures or unusual authentication bypass patterns
Monitoring Recommendations
- Enable verbose logging for the voice-call plugin webhook verification component
- Configure network intrusion detection to flag HTTP requests with suspicious header manipulation patterns
- Establish baseline metrics for normal webhook traffic and alert on statistical deviations
- Review reverse-proxy access logs for requests that bypass expected authentication flows
How to Mitigate CVE-2026-28465
Immediate Actions Required
- Upgrade OpenClaw voice-call plugin to version 2026.2.3 or later immediately
- Review and audit current reverse-proxy configurations for implicit header trust
- Configure the new allowedHosts security option to restrict accepted hostnames for webhook URL reconstruction
- Disable the deprecated allowNgrokFreeTier configuration if present in existing deployments
Patch Information
The security fix is available in commit a749db9820eb6d6224032a5a34223d286d2dcc2f. This patch introduces the VoiceCallWebhookSecurityConfigSchema with explicit security controls:
- allowedHosts: A hostname allowlist for webhook URL reconstruction, ensuring only trusted hosts are accepted from forwarding headers
- trustForwardingHeaders: An explicit flag (defaulting to false) that must be consciously enabled to trust forwarding headers
The patch also removes the deprecated allowNgrokFreeTier option and updates provider integrations like Plivo to use the new WebhookSecurityConfig type.
For more details, see the GitHub Security Advisory GHSA-3m3q-x3gj-f79x and the VulnCheck Advisory.
Workarounds
- Configure reverse-proxy to strip or sanitize X-Forwarded-* headers from untrusted sources before forwarding to the application
- Implement network-level access controls to restrict webhook endpoint access to known legitimate sources only
- Deploy a web application firewall (WAF) rule to detect and block requests with suspicious header manipulation patterns
- Temporarily disable the voice-call plugin webhook functionality if immediate patching is not feasible
# Configuration example for secure webhook settings after upgrade
# In your OpenClaw configuration file, add webhook security settings:
# voice-call-config.yaml
voiceCall:
webhookSecurity:
# Explicitly list allowed hostnames for webhook URL reconstruction
allowedHosts:
- "api.yourdomain.com"
- "webhooks.yourdomain.com"
# Keep this false unless you fully trust your proxy chain
trustForwardingHeaders: false
tunnel:
provider: "none"
allowNgrokFreeTierLoopbackBypass: false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
