Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Nextcloud Talk webhooks can be replayed, causing duplicate actions
GHSA-r9q5-c7qc-p26w
Summary
If an attacker intercepts a valid Nextcloud Talk webhook, they can reuse it to trigger duplicate actions in your system. This can cause noise and availability issues in your Nextcloud Talk integration. To fix this, update to version 2026.2.25 of the OpenClaw package.
What to do
- Update openclaw to version 2026.2.25.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.24 | 2026.2.25 |
Original title
OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing
Original description
### Summary
When Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart.
### Details
OpenClaw's Nextcloud Talk webhook path verified `HMAC(secret, random + body)` but previously lacked durable replay state tied to webhook events. This allowed replay of a previously valid signed request in some operational conditions.
The fix on `main` adds:
- persistent per-account replay dedupe for Nextcloud Talk webhook events,
- replay checks before webhook side effects (`onMessage`),
- backend-origin validation against configured account base URL (when configured).
### Impact
A captured valid signed webhook request could be replayed to trigger duplicate inbound handling. This is an integrity/availability issue (duplicate actions/noise), scoped to deployments using Nextcloud Talk webhook integration.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.24`
- Patched in release: `2026.2.25`
### Fix Commit(s)
- `d512163d686ad6741783e7119ddb3437f493dbbc`
### Release Process Note
`patched_versions` is pre-set to the release (`2026.2.25`) so once npm release `2026.2.25` is published, advisory is now published.
OpenClaw thanks @aristorechina for reporting.
When Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart.
### Details
OpenClaw's Nextcloud Talk webhook path verified `HMAC(secret, random + body)` but previously lacked durable replay state tied to webhook events. This allowed replay of a previously valid signed request in some operational conditions.
The fix on `main` adds:
- persistent per-account replay dedupe for Nextcloud Talk webhook events,
- replay checks before webhook side effects (`onMessage`),
- backend-origin validation against configured account base URL (when configured).
### Impact
A captured valid signed webhook request could be replayed to trigger duplicate inbound handling. This is an integrity/availability issue (duplicate actions/noise), scoped to deployments using Nextcloud Talk webhook integration.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.24`
- Patched in release: `2026.2.25`
### Fix Commit(s)
- `d512163d686ad6741783e7119ddb3437f493dbbc`
### Release Process Note
`patched_versions` is pre-set to the release (`2026.2.25`) so once npm release `2026.2.25` is published, advisory is now published.
OpenClaw thanks @aristorechina for reporting.
ghsa CVSS4.0
5.3
Vulnerability type
CWE-294
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026