CVE-2026-28474
Nextcloud Talk allowlist bypass via actor.name display name spoofing
描述
## Summary In affected versions of the optional Nextcloud Talk plugin (installed separately; not bundled with the core OpenClaw install), an untrusted webhook field (`actor.name`, display name) could be treated as an allowlist identifier. An attacker could change their Nextcloud display name to match an allowlisted user ID and bypass DM or room allowlists. ## Details Nextcloud Talk webhook payloads provide a stable sender identifier (`actor.id`) and a mutable display name (`actor.name`). In affected versions, the plugin’s allowlist matching accepted equality on the display name, which is attacker-controlled. ## Affected Packages / Versions - Package: `@openclaw/nextcloud-talk` (npm) - Affected: `<= 2026.2.2` - Fixed: `>= 2026.2.6` Note: This advisory applies to the optional Nextcloud Talk plugin package. Core `openclaw` is not impacted unless you installed and use `@openclaw/nextcloud-talk`. ## Fix Commit(s) - [6b4b6049b47c3329a7014509594647826669892d](https://github.com/openclaw/openclaw/commit/6b4b6049b47c3329a7014509594647826669892d) ## Timeline - Introduced: [660f87278c9f292061e097441e0b10c20d62b31b](https://github.com/openclaw/openclaw/commit/660f87278c9f292061e097441e0b10c20d62b31b) (2026-01-20) - Fixed in repo: [6b4b6049b47c3329a7014509594647826669892d](https://github.com/openclaw/openclaw/commit/6b4b6049b47c3329a7014509594647826669892d) (2026-02-04 UTC) - First fixed tag containing the change: [v2026.2.3](https://github.com/openclaw/openclaw/releases/tag/v2026.2.3) - First fixed npm release of `@openclaw/nextcloud-talk`: `2026.2.6` (published 2026-02-07 UTC) ## Mitigation Upgrade `@openclaw/nextcloud-talk` to `>= 2026.2.6`. ## Release Process Note The patched version range is set to the first npm release that contains the fix. Once you are ready, you can publish this advisory without additional version edits. Thanks @MegaManSec (https://joshua.hu) of [AISLE Research Team](https://aisle.com/) for reporting.
如何修補 CVE-2026-28474
要修補 CVE-2026-28474,請將受影響套件升級到下列已修補版本。
- —升級至 2026.2.6 或更新版本
CVE-2026-28474 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。