EUVD-2026-21106

OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms...

GHSA-5F7H-P83X-5VC2 Duplicate Advisory: OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xhq5-45pm-2gjr. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room...

Duplicate Advisory: OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xhq5-45pm-2gjr. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room...

CVE-2026-35624

OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms...

CVE-2026-35624 OpenClaw < 2026.3.22 - Policy Confusion via Room Name Collision in Nextcloud Talk

OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms...

CVE-2026-35624 OpenClaw < 2026.3.22 - Policy Confusion via Room Name Collision in Nextcloud Talk

OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms...

CVE-2026-35624

OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms. Affec...

CVE-2026-35624

OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.22 contained security vulnerabilities. These vulnerabilities were caused by a strategy confusion in room authorization. Attackers could exploit rooms with similar names to bypas...

PT-2026-31760

OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms...

CVE-2026-33580

OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting...

OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication

Summary Nextcloud Talk webhook signature failures were not throttled even though the integration relies on an operator-configured shared secret that may be weak. Impact An attacker who could reach the webhook endpoint could brute-force weak secrets online and then forge inbound webhook events...

GHSA-9528-X887-J2FP OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication

Summary Nextcloud Talk webhook signature failures were not throttled even though the integration relies on an operator-configured shared secret that may be weak. Impact An attacker who could reach the webhook endpoint could brute-force weak secrets online and then forge inbound webhook events...

Brute Force

Overview @openclaw/nextcloud-talk is an OpenClaw Nextcloud Talk channel plugin Affected versions of this package are vulnerable to Brute Force via the webhook authentication process. An attacker can gain unauthorized access by repeatedly attempting to guess shared secrets without restriction,...

Incorrect Authorization

Overview @openclaw/nextcloud-talk is an OpenClaw Nextcloud Talk channel plugin Affected versions of this package are vulnerable to Incorrect Authorization due to missing validation of caller scopes in the pair approve process. An attacker can gain unauthorized administrative access by approving...

GHSA-GM9M-X74R-8WHG Duplicate Advisory: OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9528-x887-j2fp. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication...

Duplicate Advisory: OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9528-x887-j2fp. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication...

EUVD-2026-17439

OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting...

CVE-2026-33580

OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting...

CVE-2026-33580 OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication

OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting...