Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
OpenClaw before 2026.2.25 lacks durable replay state for Nextcloud Talk webhook events, allowing valid signed requests to be replayed. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound processing and cause integrity or availability issues.
AnalysisAI
OpenClaw before version 2026.2.25 fails to implement durable replay state validation for Nextcloud Talk webhook events, allowing attackers to capture and replay previously valid signed webhook requests to cause duplicate processing. This affects all versions of OpenClaw prior to the patched release, and an attacker with network access can exploit this vulnerability without authentication or user interaction to trigger integrity and availability impacts such as duplicate message processing or resource exhaustion.
Technical ContextAI
The vulnerability exists in OpenClaw's webhook handling mechanism for Nextcloud Talk integrations, specifically in the absence of cryptographic replay protection mechanisms (CWE-294: Improper Handling of Insufficient Cryptographic Entropy). While webhook requests are cryptographically signed to verify origin, the application lacks a durable replay state store (such as a nonce cache, timestamp validation window, or idempotency key tracking) to prevent the same signed payload from being processed multiple times. This is a protocol-level design flaw rather than a cryptographic weakness—the signatures themselves are valid; the problem is that valid signatures are treated as sufficient proof of authenticity without considering whether the exact same request has already been processed. The affected product is OpenClaw (CPE: cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*), a webhook integration platform for Nextcloud Talk.
RemediationAI
Upgrade OpenClaw to version 2026.2.25 or later immediately, which includes fixes to implement durable replay state validation for webhook events. The patched commit (d512163d686ad6741783e7119ddb3437f493dbbc) is available on the OpenClaw GitHub repository. Until patching is completed, implement network-level mitigations including: restrict webhook ingestion to trusted Nextcloud Talk server IP ranges using firewall rules; enforce TLS 1.2 or higher for all webhook transport; monitor webhook processing logs for anomalous duplicate activity patterns; and consider implementing a temporary reverse proxy with request deduplication based on cryptographic request fingerprinting (hash of signature plus timestamp). See the vendor advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-r9q5-c7qc-p26w for complete remediation guidance.
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti
NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi
lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high
Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi
Same weakness CWE-294 – Authentication Bypass by Capture-replay
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14563
GHSA-ffxm-98hg-x985