8 matches found
CVE-2026-28474
OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an allowlisted user ID and...
CVE-2026-28474 OpenClaw Nextcloud Talk < 2026.2.6 - Allowlist Bypass via actor.name Display Name Spoofing
OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an allowlisted user ID and...
CVE-2026-28474 OpenClaw Nextcloud Talk < 2026.2.6 - Allowlist Bypass via actor.name Display Name Spoofing
OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an allowlisted user ID and...
OpenClaw 安全漏洞
OpenClaw is an open-source intelligent artificial assistant. Versions of OpenClaw prior to 2026.2.6 contained security vulnerabilities. These vulnerabilities stemmed from a flaw in permission list validation, which allowed equal matches for the variable actor.name field. This could allow attacker...
Nextcloud Talk allowlist bypass via actor.name display name spoofing
Summary In affected versions of the optional Nextcloud Talk plugin installed separately; not bundled with the core OpenClaw install, an untrusted webhook field actor.name, display name could be treated as an allowlist identifier. An attacker could change their Nextcloud display name to match an...
User Impersonation
Overview @openclaw/nextcloud-talk is an OpenClaw Nextcloud Talk channel plugin Affected versions of this package are vulnerable to User Impersonation via the actor.name field in webhook payloads. An attacker can gain unauthorized access to direct messages or rooms by spoofing their display name t...
GHSA-R5H9-VJQC-HQ3R Nextcloud Talk allowlist bypass via actor.name display name spoofing
Summary In affected versions of the optional Nextcloud Talk plugin installed separately; not bundled with the core OpenClaw install, an untrusted webhook field actor.name, display name could be treated as an allowlist identifier. An attacker could change their Nextcloud display name to match an...
PT-2026-23549
Name of the Vulnerable Software and Affected Versions OpenClaw Nextcloud Talk plugin versions prior to 2026.2.6 Description The Nextcloud Talk plugin allows attackers to bypass direct message DM and room allowlists. The plugin incorrectly uses the mutable actor.name field for allowlist validation...