CVE-2026-28449

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.25

Description OpenClaw versions prior to 2026.2.25 do not have durable replay state for Nextcloud Talk webhook events. This allows valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound message processing, potentially causing integrity or availability issues. The issue stems from the verification of HMAC(secret, random + body) without durable replay state tied to webhook events. The fix adds persistent per-account replay deduplication for Nextcloud Talk webhook events, replay checks before webhook side effects, and backend-origin validation. This is an integrity and availability issue scoped to deployments using Nextcloud Talk webhook integration.

Recommendations OpenClaw versions prior to 2026.2.25 should be updated to version 2026.2.25 or later.