OpenClaw Voice-Call Plugin Improper Authentication Vulnerability in Webhook Verification

A vulnerability exists in OpenClaw's voice-call plugin, specifically in versions prior to 2026.2.3. This vulnerability allows remote attackers to bypass webhook verification by manipulating untrusted forwarded headers, such as 'Forwarded' or 'X-Forwarded-*'. The issue arises in reverse-proxy configurations that implicitly trust these headers, enabling attackers to spoof webhook events.

Impact

Exploitation of this vulnerability allows for the spoofing of webhook events, which can be processed as valid by the application.

Reproduction

To reproduce this vulnerability, enable the voice-call plugin in an OpenClaw application deployed behind a reverse proxy that trusts forwarded headers. Once the plugin is active, send a webhook request that includes manipulated 'X-Forwarded-*' headers to bypass the default verification process. The request will be accepted as valid, despite the verification bypass.

Remediation

Users can upgrade to OpenClaw voice-call plugin version 2026.2.3 or later. For those using the legacy package '@clawdbot/voice-call', migrate to '@openclaw/voice-call'. If an immediate upgrade is not possible, strip 'Forwarded' and 'X-Forwarded-*' headers at the edge to prevent clients from supplying them directly.