GHSA-xhq5-45pm-2gjr: OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens

March 26, 2026

Nextcloud Talk room authorization matched on collidable room names instead of the stable room token, allowing policy confusion across similarly named rooms.

References

github.com/advisories/GHSA-xhq5-45pm-2gjr
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66
github.com/openclaw/openclaw/security/advisories/GHSA-xhq5-45pm-2gjr

Code Behaviors & Features

Detect and mitigate GHSA-xhq5-45pm-2gjr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →