OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication

Description

Summary

Nextcloud Talk webhook signature failures were not throttled even though the integration relies on an operator-configured shared secret that may be weak.

Impact

An attacker who could reach the webhook endpoint could brute-force weak secrets online and then forge inbound webhook events.

Affected Component

extensions/nextcloud-talk/src/monitor.ts

Fixed Versions

  • Affected: <= 2026.3.24
  • Patched: >= 2026.3.28
  • Latest stable 2026.3.28 contains the fix.

Fix

Fixed by commit e403decb6e (nextcloud-talk: throttle repeated webhook auth failures).

OpenClaw thanks @AntAISecurityLab for reporting.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-03-31 23:59:17 UTC
Updated
2026-04-06 22:53:26 UTC
GitHub reviewed
2026-03-31 23:59:17 UTC

EPSS Score

Score Percentile
0.08% 22.67%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-307 Improper Restriction of Excessive Authentication Attempts

Credits

  • AntAISecurityLab (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm openclaw <= 2026.3.24 2026.3.28

References

cvelogic Threat Intelligence