CVE-2026-28449 in OpenClaw
Summary
by MITRE • 03/19/2026
OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound message processing and cause integrity or availability issues.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability identified as CVE-2026-28449 affects OpenClaw versions prior to 2026.2.25 and represents a significant security flaw in the handling of Nextcloud Talk webhook events. This issue stems from the absence of durable replay state mechanisms within the system's webhook processing architecture, creating a persistent weakness that can be exploited by malicious actors. The vulnerability specifically targets the authentication and authorization mechanisms that govern webhook request processing, where valid signed requests can be captured and subsequently replayed without proper detection or suppression.
The technical flaw manifests as a failure to implement proper replay detection and suppression protocols for webhook events within the Nextcloud Talk integration. When webhook requests are signed with valid cryptographic signatures, the system should maintain state information to prevent identical requests from being processed multiple times. However, the vulnerable implementation lacks this crucial durability in replay detection, allowing attackers to capture legitimate webhook payloads and replay them at will. This weakness directly violates security principles related to message integrity and non-repudiation, as the system cannot distinguish between legitimate and malicious replay attempts.
The operational impact of this vulnerability extends beyond simple message duplication, potentially causing cascading effects throughout the system's message processing infrastructure. When attackers successfully replay valid webhook requests, they can trigger duplicate inbound message processing that may lead to data integrity issues, system resource exhaustion, or availability disruptions. The vulnerability can be particularly damaging in environments where webhook events trigger critical business processes, automated workflows, or security-related actions. The lack of proper replay detection means that legitimate system operations can be disrupted by malicious replay attacks, potentially leading to unauthorized system modifications or service degradation.
This vulnerability aligns with CWE-347, which addresses the improper validation of cryptographic signatures, and relates to ATT&CK technique T1566.002 for social engineering through web application attacks. The attack vector involves capturing network traffic containing signed webhook requests and replaying them to exploit the system's failure to maintain durable replay state. Organizations implementing OpenClaw should prioritize immediate mitigation through updating to version 2026.2.25 or later, which includes proper replay detection mechanisms. Additional defensive measures should include network monitoring for unusual webhook traffic patterns, implementation of request deduplication at the network level, and enhanced logging of webhook processing activities to detect potential replay attacks. The vulnerability demonstrates the critical importance of implementing robust replay protection mechanisms in distributed systems where cryptographic signatures are used for authentication and authorization purposes.