Description
OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound message processing and cause integrity or availability issues.
Published: 2026-03-19
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Replay of signed webhook events leading to duplicate processing, potential data integrity loss, and service disruption
Action: Patch
AI Analysis

Impact

OpenClaw versions earlier than 2026.2.25 lack a durable replay state for Nextcloud Talk webhook events, allowing an attacker to capture a valid signed webhook payload and replay it without suppression. This results in duplicate inbound message processing, which can corrupt data integrity or disrupt availability of the messaging service. The weakness is identified as CWE-294, Improper Handling of Reset or Replay Conditions.

Affected Systems

All OpenClaw installations running any version before 2026.2.25 are affected. The vulnerability applies to the OpenClaw:OpenClaw product as represented by the CPE string cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an adversary able to intercept or otherwise obtain a previously valid signed webhook request and replay it at a later time. No additional privileges are required beyond the ability to capture the request, making exploitation straightforward and potentially harmful for systems that rely on webhook integrity.

Generated by OpenCVE AI on March 19, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official OpenClaw patch 2026.2.25 or later.
  • If a patch cannot be applied immediately, disable or remove unused webhook endpoints to prevent replay of captured requests.
  • Monitor webhook traffic for duplicate events and investigate any unexpected repetitions.

Generated by OpenCVE AI on March 19, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r9q5-c7qc-p26w OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing
History

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Thu, 19 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 01:30:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound message processing and cause integrity or availability issues.
Title OpenClaw < 2026.2.25 - Webhook Replay Attack via Missing Durable Replay Suppression
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-294
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-25T14:30:37.334Z

Reserved: 2026-02-27T19:16:50.224Z

Link: CVE-2026-28449

cve-icon Vulnrichment

Updated: 2026-03-19T17:05:04.089Z

cve-icon NVD

Status : Modified

Published: 2026-03-19T02:16:02.390

Modified: 2026-03-25T15:16:39.607

Link: CVE-2026-28449

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:51:34Z

Weaknesses