CVE-2026-28474

OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an allowlisted user ID and gain unauthorized access to restricted conversations.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/6b4b6049b47c3329a7014509594647826669892d	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-r5h9-vjqc-hq3r	Patch Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-nextcloud-talk-allowlist-bypass-via-actorname-display-name-spoofing	Third Party Advisory Broken Link

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

06 May 2026, 14:49

Type	Values Removed	Values Added
First Time		Openclaw openclaw Openclaw
References	~~() https://github.com/openclaw/openclaw/commit/6b4b6049b47c3329a7014509594647826669892d -~~	() https://github.com/openclaw/openclaw/commit/6b4b6049b47c3329a7014509594647826669892d - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-r5h9-vjqc-hq3r -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-r5h9-vjqc-hq3r - Patch, Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-nextcloud-talk-allowlist-bypass-via-actorname-display-name-spoofing -~~	() https://www.vulncheck.com/advisories/openclaw-nextcloud-talk-allowlist-bypass-via-actorname-display-name-spoofing - Third Party Advisory, Broken Link
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*

09 Mar 2026, 13:36

Type	Values Removed	Values Added
Summary		(es) Las versiones del plugin Nextcloud Talk de OpenClaw anteriores a la 2026.2.6 aceptan la coincidencia de igualdad en el campo mutable del nombre de visualización actor.name para la validación de listas de permitidos, lo que permite a los atacantes eludir las listas de permitidos de MD y salas. Un atacante puede cambiar su nombre de visualización de Nextcloud para que coincida con un ID de usuario en la lista de permitidos y obtener acceso no autorizado a conversaciones restringidas.

05 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-05 22:16

Updated : 2026-05-06 14:49

NVD link : CVE-2026-28474

Mitre link : CVE-2026-28474

CVE.ORG link : CVE-2026-28474

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-863

Incorrect Authorization

9.8 /10