GHSA-9528-x887-j2fp: OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication

March 31, 2026 (updated April 6, 2026)

Nextcloud Talk webhook signature failures were not throttled even though the integration relies on an operator-configured shared secret that may be weak.

References

github.com/advisories/GHSA-9528-x887-j2fp
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd
github.com/openclaw/openclaw/releases/tag/v2026.3.28
github.com/openclaw/openclaw/security/advisories/GHSA-9528-x887-j2fp

Code Behaviors & Features

Detect and mitigate GHSA-9528-x887-j2fp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →