ClawHosters ClawHosters
Subs -30% SUB30
7 Critical CVEs Hit OpenClaw's Nextcloud Talk Plugin
$ ./blog/news
News

7 Critical CVEs Hit OpenClaw's Nextcloud Talk Plugin

ClawHosters
ClawHosters by Daniel Samer
4 min read

Seven critical vulnerabilities. All published on the same day. All scoring above 9.0 on the CVSS scale. And Belgium's national cybersecurity authority told organizations to patch immediately.

That's what happened on March 5, 2026 with OpenClaw's optional Nextcloud Talk plugin.

The Headline Bug: Display Name Spoofing

The worst of the bunch is CVE-2026-28474, rated CVSS 9.8 under CVSS 3.1 scoring.

Here's how it works. OpenClaw lets you restrict which users can talk to your AI agent through an allowlist. But the plugin was checking the user's display name instead of their actual user ID. So an attacker just changes their Nextcloud display name to match someone on the allowlist. Done. They're inside a restricted conversation, potentially one connected to an AI agent with access to internal systems.

No authentication bypass needed. No special privileges. No user interaction required. The GitLab Advisory Database confirmed the root cause: "an untrusted webhook field (actor.name) could be treated as an allowlist identifier."

That's a basic security mistake, honestly.

The Full CVE List

CVE CVSS 4.0 CVSS 3.1 Component Fixed In
CVE-2026-28474 9.3 9.8 Talk Plugin 2026.2.6
CVE-2026-28466 9.4 9.9 Gateway 2026.2.14
CVE-2026-28391 9.2 9.8 Talk Plugin 2026.2.6
CVE-2026-28446 9.2 9.4-9.8 Talk Plugin 2026.2.6
CVE-2026-28470 9.2 8.1 Talk Plugin 2026.2.6
CVE-2026-28472 9.2 9.8 Gateway 2026.2.6

One more, CVE-2026-28484 (git flag injection), was published March 5 and then withdrawn the next day. The underlying vulnerability is real and patched in 2026.2.15, but the CVE identifier itself was rejected.

Two Patch Targets, Not One

This is the part that's easy to miss. Most of these CVEs target the Nextcloud Talk plugin (@openclaw/nextcloud-talk), fixed in version 2026.2.6. But CVE-2026-28466 hits the core OpenClaw gateway and needs a separate upgrade to 2026.2.14.

Patching only the plugin leaves you exposed. Security researchers identified over 42,000 publicly exposed OpenClaw instances through Shodan and Censys scans. If you self-host OpenClaw with Nextcloud Talk enabled, update both components now.

Why This Matters for Nextcloud Users

Nextcloud Talk is deployed across hundreds of European government organizations as a sovereign alternative to Teams and Slack. An OpenClaw agent bridged into a government Nextcloud Talk instance is a high-value target.

ClawHosters Customers: You're Not Affected

ClawHosters managed instances connect AI agents through Telegram, WhatsApp, Discord, and Slack. We don't use the Nextcloud Talk plugin. And our auto-patching infrastructure keeps every instance on the latest secure OpenClaw version without you lifting a finger.

If you self-host and want to stop tracking CVE feeds yourself, check out our managed plans.

Frequently Asked Questions

No. ClawHosters connects your AI agent through Telegram, WhatsApp, Discord, and Slack. The Nextcloud Talk plugin is not installed on managed instances. You're not exposed to any of these CVEs.

The Nextcloud Talk plugin needs version 2026.2.6 or later. But don't stop there. CVE-2026-28466 affects the core OpenClaw gateway and requires version 2026.2.14. Patch both.

No public proof-of-concept code existed as of the CCB advisory on March 6, 2026. But the CVSS vector for CVE-2026-28474 shows zero preconditions: remote access, no privileges, no user interaction. The attack is straightforward enough that a working exploit probably isn't far off.
*Last updated: March 2026*

Sources

  1. 1 patch immediately
  2. 2 CVE-2026-28474
  3. 3 GitLab Advisory Database
  4. 4 withdrawn the next day
  5. 5 over 42,000 publicly exposed OpenClaw instances
  6. 6 hundreds of European government organizations
  7. 7 auto-patching infrastructure
  8. 8 check out our managed plans
$ ./related --posts