OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

使用欺骗进行的认证绕过

OpenClaw 数据伪造问题漏洞

OpenClaw是openclaw开源的一个智能人工助理。 OpenClaw 2026.2.3之前版本存在数据伪造问题漏洞，该漏洞源于webhook验证存在身份验证不当，可能导致远程攻击者通过提供不受信任的转发标头绕过验证。

N/A

N/A