CVE-2026-33580

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.28

Description OpenClaw is affected by a missing rate limiting issue in the Nextcloud Talk webhook authentication. This allows attackers to attempt to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting authentication without throttling. The vulnerability impacts the authentication process for webhooks related to Nextcloud Talk. The webhook endpoint is susceptible to repeated authentication attempts. The shared secret used for authentication, shared secret, is vulnerable to brute-force attacks due to the lack of rate limiting.

Recommendations Update OpenClaw to version 2026.3.28 or later.