Skip to main content

Nextcloud CVE-2026-32012

| EUVDEUVD-2026-14563 MEDIUM
Authentication Bypass by Capture-replay (CWE-294)
2026-03-23 VulnCheck GHSA-ffxm-98hg-x985
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
EUVD ID Assigned
Mar 23, 2026 - 22:00 euvd
EUVD-2026-14563
Analysis Generated
Mar 23, 2026 - 22:00 vuln.today
Patch released
Mar 23, 2026 - 22:00 nvd
Patch available
CVE Published
Mar 23, 2026 - 21:36 nvd
MEDIUM 4.8

DescriptionCVE.org

OpenClaw before 2026.2.25 lacks durable replay state for Nextcloud Talk webhook events, allowing valid signed requests to be replayed. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound processing and cause integrity or availability issues.

AnalysisAI

OpenClaw before version 2026.2.25 fails to implement durable replay state validation for Nextcloud Talk webhook events, allowing attackers to capture and replay previously valid signed webhook requests to cause duplicate processing. This affects all versions of OpenClaw prior to the patched release, and an attacker with network access can exploit this vulnerability without authentication or user interaction to trigger integrity and availability impacts such as duplicate message processing or resource exhaustion.

Technical ContextAI

The vulnerability exists in OpenClaw's webhook handling mechanism for Nextcloud Talk integrations, specifically in the absence of cryptographic replay protection mechanisms (CWE-294: Improper Handling of Insufficient Cryptographic Entropy). While webhook requests are cryptographically signed to verify origin, the application lacks a durable replay state store (such as a nonce cache, timestamp validation window, or idempotency key tracking) to prevent the same signed payload from being processed multiple times. This is a protocol-level design flaw rather than a cryptographic weakness—the signatures themselves are valid; the problem is that valid signatures are treated as sufficient proof of authenticity without considering whether the exact same request has already been processed. The affected product is OpenClaw (CPE: cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*), a webhook integration platform for Nextcloud Talk.

RemediationAI

Upgrade OpenClaw to version 2026.2.25 or later immediately, which includes fixes to implement durable replay state validation for webhook events. The patched commit (d512163d686ad6741783e7119ddb3437f493dbbc) is available on the OpenClaw GitHub repository. Until patching is completed, implement network-level mitigations including: restrict webhook ingestion to trusted Nextcloud Talk server IP ranges using firewall rules; enforce TLS 1.2 or higher for all webhook transport; monitor webhook processing logs for anomalous duplicate activity patterns; and consider implementing a temporary reverse proxy with request deduplication based on cryptographic request fingerprinting (hash of signature plus timestamp). See the vendor advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-r9q5-c7qc-p26w for complete remediation guidance.

CVE-2023-26482 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2020-8180 CRITICAL POC
9.9 Jun 08

A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co

CVE-2023-48306 CRITICAL POC
9.8 Nov 21

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),

CVE-2016-9463 HIGH POC
8.1 Mar 28

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti

CVE-2023-31128 HIGH POC
8.8 May 26

NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2023-28643 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2021-22879 HIGH POC
8.8 Apr 14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi

CVE-2019-12739 HIGH POC
8.8 Jun 05

lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi

CVE-2020-8259 HIGH POC
8.1 Nov 16

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the

CVE-2020-8121 HIGH POC
8.1 Feb 04

A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high

CVE-2020-8182 HIGH POC
8.0 Oct 05

Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss

CVE-2020-8224 HIGH POC
7.8 Aug 10

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi

Share

CVE-2026-32012 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy