Executive Summary

CVE-2026-28449 is a vulnerability in OpenClaw versions prior to 2026.2.25 affecting the Nextcloud Talk webhook integration. The issue is that the system lacks durable replay protection for signed webhook events, allowing attackers to capture valid signed webhook requests and replay them without detection.

Because the replay state is not persistently stored, replayed requests can be accepted even after server restarts or replay windows expire. This leads to duplicate inbound message processing, which can cause integrity or availability problems.

The vulnerability is classified under CWE-294 (Authentication Bypass by Capture-replay), meaning attackers can bypass authentication by replaying previously valid requests.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to replay previously valid signed webhook requests, causing duplicate processing of inbound messages.

Such replay attacks can lead to integrity issues, where the system processes the same event multiple times, potentially causing inconsistent or incorrect data states.

Additionally, it can cause availability issues by generating unnecessary load or noise through repeated processing of the same webhook events.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves replayed signed webhook requests to Nextcloud Talk that bypass durable replay suppression. Detection involves monitoring for repeated identical signed webhook requests that trigger duplicate inbound message processing.'}, {'type': 'paragraph', 'content': 'Since the vulnerability exploits replayed webhook events, you can detect it by inspecting network traffic for repeated webhook POST requests with identical signatures or payloads.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect replayed webhook requests might include using network traffic capture and analysis tools such as tcpdump or Wireshark to filter HTTP POST requests to the webhook endpoint and identify duplicates.'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'POST /nextcloud-talk-webhook'"}, {'type': 'list_item', 'content': 'Use grep or similar tools on server logs to find repeated webhook requests with the same signature or payload.'}, {'type': 'list_item', 'content': 'Implement or enable logging in the webhook server to record the signature and payload hashes of incoming requests to identify duplicates.'}] [1, 2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade OpenClaw to version 2026.2.25 or later, which includes the fix for this vulnerability.

The fix introduces durable replay state with persistent per-account replay deduplication to prevent replayed webhook requests from being processed multiple times.

Additional mitigation steps include:

• Enable backend origin validation to reject webhook requests from unexpected origins.
• Reject unsigned webhook requests early before processing the request body.
• Monitor webhook traffic for replayed requests and configure alerting for suspicious repeated webhook events.

If upgrading immediately is not possible, consider implementing custom replay detection and backend origin validation in your webhook handling logic as a temporary workaround.

Useful 0 Not Useful 0