CVE-2026-28449

OpenClaw < 2026.2.25 - Webhook Replay Attack via Missing Durable Replay Suppression

CVSS 6.3 MEDIUMEPSS 0.3%CWE-294

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 6.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

19 mar 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound message processing and cause integrity or availability issues.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Productos afectados

OpenClaw · OpenClaw

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/openclaw/openclaw/commit/d512163d686ad6741783e7119ddb3437f493dbbc https://github.com/openclaw/openclaw/security/advisories/GHSA-r9q5-c7qc-p26w https://www.vulncheck.com/advisories/openclaw-webhook-replay-attack-via-missing-durable-replay-suppression