CVE-2026-28449

描述

### Summary When Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart. ### Details OpenClaw's Nextcloud Talk webhook path verified `HMAC(secret, random + body)` but previously lacked durable replay state tied to webhook events. This allowed replay of a previously valid signed request in some operational conditions. The fix on `main` adds: - persistent per-account replay dedupe for Nextcloud Talk webhook events, - replay checks before webhook side effects (`onMessage`), - backend-origin validation against configured account base URL (when configured). ### Impact A captured valid signed webhook request could be replayed to trigger duplicate inbound handling. This is an integrity/availability issue (duplicate actions/noise), scoped to deployments using Nextcloud Talk webhook integration. ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `<= 2026.2.24` - Patched in release: `2026.2.25` ### Fix Commit(s) - `d512163d686ad6741783e7119ddb3437f493dbbc` ### Release Process Note `patched_versions` is pre-set to the release (`2026.2.25`) so once npm release `2026.2.25` is published, advisory is now published. OpenClaw thanks @aristorechina for reporting.

受影響套件(1)

• npm/openclawfrom 0, < 2026.2.25

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-28449
• PATCHhttps://github.com/openclaw/openclaw
• WEBhttps://github.com/openclaw/openclaw/commit/d512163d686ad6741783e7119ddb3437f493dbbc
• WEBhttps://github.com/openclaw/openclaw/security/advisories/GHSA-r9q5-c7qc-p26w
• WEBhttps://www.vulncheck.com/advisories/openclaw-webhook-replay-attack-via-missing-durable-replay-suppression