GHSA-r9q5-c7qc-p26w

Suggest an improvement
Source
https://github.com/advisories/GHSA-r9q5-c7qc-p26w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-r9q5-c7qc-p26w/GHSA-r9q5-c7qc-p26w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r9q5-c7qc-p26w
Aliases
Downstream
Published
2026-03-03T23:08:55Z
Modified
2026-03-19T21:31:25.125663Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing
Details

Summary

When Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart.

Details

OpenClaw's Nextcloud Talk webhook path verified HMAC(secret, random + body) but previously lacked durable replay state tied to webhook events. This allowed replay of a previously valid signed request in some operational conditions.

The fix on main adds: - persistent per-account replay dedupe for Nextcloud Talk webhook events, - replay checks before webhook side effects (onMessage), - backend-origin validation against configured account base URL (when configured).

Impact

A captured valid signed webhook request could be replayed to trigger duplicate inbound handling. This is an integrity/availability issue (duplicate actions/noise), scoped to deployments using Nextcloud Talk webhook integration.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: <= 2026.2.24
  • Patched in release: 2026.2.25

Fix Commit(s)

  • d512163d686ad6741783e7119ddb3437f493dbbc

Release Process Note

patched_versions is pre-set to the release (2026.2.25) so once npm release 2026.2.25 is published, advisory is now published.

OpenClaw thanks @aristorechina for reporting.

Database specific 
{
    "nvd_published_at": null,
    "severity": "MODERATE",
    "github_reviewed_at": "2026-03-03T23:08:55Z",
    "cwe_ids": [
        "CWE-294"
    ],
    "github_reviewed": true
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.2.25

Database specific

last_known_affected_version_range 
"<= 2026.2.24"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-r9q5-c7qc-p26w/GHSA-r9q5-c7qc-p26w.json"