Moderate severityNVD Advisory· Published Mar 19, 2026· Updated Apr 29, 2026
OpenClaw < 2026.2.25 - Webhook Replay Attack via Missing Durable Replay Suppression
CVE-2026-28449
Description
OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound message processing and cause integrity or availability issues.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.2.25 | 2026.2.25 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/openclaw/openclaw/commit/d512163d686ad6741783e7119ddb3437f493dbbcghsapatchWEB
- github.com/advisories/GHSA-r9q5-c7qc-p26wghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-r9q5-c7qc-p26wghsathird-party-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-28449ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-webhook-replay-attack-via-missing-durable-replay-suppressionghsathird-party-advisoryWEB
News mentions
0No linked articles in our index yet.