Nextcloud Talk webhook signature failures were not throttled even though the integration relies on an operator-configured shared secret that may be weak.
An attacker who could reach the webhook endpoint could brute-force weak secrets online and then forge inbound webhook events.
extensions/nextcloud-talk/src/monitor.ts
<= 2026.3.24>= 2026.3.282026.3.28 contains the fix.Fixed by commit e403decb6e (nextcloud-talk: throttle repeated webhook auth failures).
OpenClaw thanks @AntAISecurityLab for reporting.
| Score | Percentile |
|---|---|
| 0.08% | 22.67% |
No CVSS scores in this advisory.
| Type | Value |
|---|---|
| GHSA | GHSA-9528-x887-j2fp ↗ |
| CVE | CVE-2026-33580 ↗ |
| CWE id | Name |
|---|---|
| CWE-307 | Improper Restriction of Excessive Authentication Attempts |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | openclaw | <= 2026.3.24 | 2026.3.28 | — |