GHSA-r9q5-c7qc-p26w: OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing

March 3, 2026

When Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart.

References

github.com/advisories/GHSA-r9q5-c7qc-p26w
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/d512163d686ad6741783e7119ddb3437f493dbbc
github.com/openclaw/openclaw/security/advisories/GHSA-r9q5-c7qc-p26w

Code Behaviors & Features

Detect and mitigate GHSA-r9q5-c7qc-p26w with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →