CVE-2026-28474: Nextcloud Talk allowlist bypass via actor.name display name spoofing
(updated )
In affected versions of the optional Nextcloud Talk plugin (installed separately; not bundled with the core OpenClaw install), an untrusted webhook field (actor.name, display name) could be treated as an allowlist identifier. An attacker could change their Nextcloud display name to match an allowlisted user ID and bypass DM or room allowlists.
References
- github.com/advisories/GHSA-r5h9-vjqc-hq3r
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/660f87278c9f292061e097441e0b10c20d62b31b
- github.com/openclaw/openclaw/commit/6b4b6049b47c3329a7014509594647826669892d
- github.com/openclaw/openclaw/releases/tag/v2026.2.3
- github.com/openclaw/openclaw/security/advisories/GHSA-r5h9-vjqc-hq3r
- nvd.nist.gov/vuln/detail/CVE-2026-28474
Code Behaviors & Features
Detect and mitigate CVE-2026-28474 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →