GHSA-r5h9-vjqc-hq3r: Nextcloud Talk allowlist bypass via actor.name display name spoofing
In affected versions of the optional Nextcloud Talk plugin (installed separately; not bundled with the core OpenClaw install), an untrusted webhook field (actor.name, display name) could be treated as an allowlist identifier. An attacker could change their Nextcloud display name to match an allowlisted user ID and bypass DM or room allowlists.
References
- github.com/advisories/GHSA-r5h9-vjqc-hq3r
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/660f87278c9f292061e097441e0b10c20d62b31b
- github.com/openclaw/openclaw/commit/6b4b6049b47c3329a7014509594647826669892d
- github.com/openclaw/openclaw/releases/tag/v2026.2.3
- github.com/openclaw/openclaw/security/advisories/GHSA-r5h9-vjqc-hq3r
Code Behaviors & Features
Detect and mitigate GHSA-r5h9-vjqc-hq3r with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →