GHSA-866c-wwm5-4rj7

Suggest an improvement
Source
https://github.com/advisories/GHSA-866c-wwm5-4rj7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-866c-wwm5-4rj7/GHSA-866c-wwm5-4rj7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-866c-wwm5-4rj7
Withdrawn
2026-03-19T18:21:59Z
Published
2026-03-19T03:30:57Z
Modified
2026-03-19T18:32:21.869874Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS Calculator
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
Duplicate Advisory: OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-r9q5-c7qc-p26w. This link is maintained to preserve external references.

Original Description

OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound message processing and cause integrity or availability issues.

Database specific 
{
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-294"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T18:21:59Z",
    "nvd_published_at": "2026-03-19T02:16:02Z"
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
2026.2.24

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-866c-wwm5-4rj7/GHSA-866c-wwm5-4rj7.json"