{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28474", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-27T19:19:46.447Z", "datePublished": "2026-03-05T21:59:49.849Z", "dateUpdated": "2026-03-09T18:08:50.134Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-05T22:28:13.938Z"}, "datePublic": "2026-02-14T00:00:00.000Z", "title": "OpenClaw Nextcloud Talk < 2026.2.6 - Allowlist Bypass via actor.name Display Name Spoofing", "descriptions": [{"lang": "en", "value": "OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an allowlisted user ID and gain unauthorized access to restricted conversations."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Incorrect Authorization", "cweId": "CWE-863", "type": "CWE"}]}], "affected": [{"defaultStatus": "unaffected", "product": "nextcloud-talk", "vendor": "OpenClaw", "versions": [{"version": "0", "lessThan": "2026.2.6", "status": "affected", "versionType": "custom"}], "packageURL": "pkg:npm/openclaw-nextcloud-talk"}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r5h9-vjqc-hq3r", "name": "GitHub Security Advisory (GHSA-r5h9-vjqc-hq3r)", "tags": ["vendor-advisory"]}, {"url": "https://github.com/openclaw/openclaw/commit/6b4b6049b47c3329a7014509594647826669892d", "name": "Patch Commit #1", "tags": ["patch"]}, {"name": "VulnCheck Advisory: OpenClaw Nextcloud Talk < 2026.2.6 - Allowlist Bypass via actor.name Display Name Spoofing", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/openclaw-nextcloud-talk-allowlist-bypass-via-actorname-display-name-spoofing"}], "x_generator": {"engine": "vulncheck"}, "credits": [{"lang": "en", "value": "@MegaManSec (https://joshua.hu) of AISLE Research Team", "type": "reporter"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T18:07:43.724179Z", "id": "CVE-2026-28474", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:08:50.134Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28474", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T18:07:43.724179Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:08:45.625Z"}}], "cna": {"title": "OpenClaw Nextcloud Talk < 2026.2.6 - Allowlist Bypass via actor.name Display Name Spoofing", "credits": [{"lang": "en", "type": "reporter", "value": "@MegaManSec (https://joshua.hu) of AISLE Research Team"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "OpenClaw", "product": "nextcloud-talk", "versions": [{"status": "affected", "version": "0", "lessThan": "2026.2.6", "versionType": "custom"}], "packageURL": "pkg:npm/openclaw-nextcloud-talk", "defaultStatus": "unaffected"}], "datePublic": "2026-02-14T00:00:00.000Z", "references": [{"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r5h9-vjqc-hq3r", "name": "GitHub Security Advisory (GHSA-r5h9-vjqc-hq3r)", "tags": ["vendor-advisory"]}, {"url": "https://github.com/openclaw/openclaw/commit/6b4b6049b47c3329a7014509594647826669892d", "name": "Patch Commit #1", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/openclaw-nextcloud-talk-allowlist-bypass-via-actorname-display-name-spoofing", "name": "VulnCheck Advisory: OpenClaw Nextcloud Talk < 2026.2.6 - Allowlist Bypass via actor.name Display Name Spoofing", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an allowlisted user ID and gain unauthorized access to restricted conversations."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "Incorrect Authorization"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-05T22:28:13.938Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28474", "state": "PUBLISHED", "dateUpdated": "2026-03-09T18:08:50.134Z", "dateReserved": "2026-02-27T19:19:46.447Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-05T21:59:49.849Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "71D19426-2A6D-4B2B-8F12-C201CBAFF5C3", "versionEndExcluding": "2026.2.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an allowlisted user ID and gain unauthorized access to restricted conversations."}, {"lang": "es", "value": "Las versiones del plugin Nextcloud Talk de OpenClaw anteriores a la 2026.2.6 aceptan la coincidencia de igualdad en el campo mutable del nombre de visualizaci\u00f3n actor.name para la validaci\u00f3n de listas de permitidos, lo que permite a los atacantes eludir las listas de permitidos de MD y salas. Un atacante puede cambiar su nombre de visualizaci\u00f3n de Nextcloud para que coincida con un ID de usuario en la lista de permitidos y obtener acceso no autorizado a conversaciones restringidas."}], "id": "CVE-2026-28474", "lastModified": "2026-05-06T14:49:59.807", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-05T22:16:21.423", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/openclaw/openclaw/commit/6b4b6049b47c3329a7014509594647826669892d"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r5h9-vjqc-hq3r"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory", "Broken Link"], "url": "https://www.vulncheck.com/advisories/openclaw-nextcloud-talk-allowlist-bypass-via-actorname-display-name-spoofing"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.2.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "nextcloud-talk", "source": "cna", "vendor": "OpenClaw"}, "product": "nextcloud-talk", "vendor": "openclaw"}], "analysis": {"en": {"generated_at": "2026-04-16T11:57:46.795821+00:00", "value": {"mitigation_remediation": ["Update the OpenClaw Nextcloud Talk plugin to version 2026.2.6 or later, which fixes the allowlist validation logic.", "If an upgrade is not immediately possible, disable or restrict the ability for users to change their display name so that the actor.name field remains immutable.", "Configure the allowlist to validate against immutable user identifiers rather than mutable display names, ensuring that spoofing the display name cannot grant additional access."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access to Restricted Conversations"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the OpenClaw Nextcloud Talk plugin, specifically any deployment running a version earlier than 2026.2.6.", "description_and_impact": "OpenClaw's Nextcloud Talk plugin versions before 2026.2.6 incorrectly use a mutable display name field for allowlist checks, enabling an attacker to set their Nextcloud display name to any allowlisted user ID. This allows the attacker to bypass domain management and room allowlists and join conversations they should not have access to. The flaw represents a significant escalation of privilege within the application, compromising confidentiality of restricted conversations.", "risk_and_exploitability": "The CVSS score of 9.3 places the flaw in the high severity range. However, the EPSS score is reported as less than 1%, indicating a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, exploiting the plugin\u2019s allowlist logic via a user\u2019s display name; exploit requires legitimate authentication to the Nextcloud instance, after which the attacker can spoof a display name and gain access to protected rooms."}}}}, "created": "2026-03-06T14:59:58.480230+00:00", "updated": "2026-04-16T12:00:11.707349+00:00", "vendors": ["openclaw", "openclaw$PRODUCT$nextcloud-talk"]}