CVE-2026-28449

OpenClaw < 2026.2.25 - Webhook Replay Attack via Missing Durable Replay Suppression

CVSS 6.3 MEDIUMEPSS 0.3%CWE-294

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

19 Mar 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound message processing and cause integrity or availability issues.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Affected products

OpenClaw · OpenClaw

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/openclaw/openclaw/commit/d512163d686ad6741783e7119ddb3437f493dbbc https://github.com/openclaw/openclaw/security/advisories/GHSA-r9q5-c7qc-p26w https://www.vulncheck.com/advisories/openclaw-webhook-replay-attack-via-missing-durable-replay-suppression