OpenClaw Nextcloud Talk Webhook Authentication Rate Limiting Vulnerability

A missing rate limiting vulnerability has been identified in OpenClaw versions prior to 2026.3.28, specifically within the Nextcloud Talk webhook authentication. This vulnerability allows attackers to brute-force weak shared secrets. Those who can access the webhook endpoint may exploit this flaw to forge inbound webhook events by repeatedly attempting authentication without any throttling.

Impact

The lack of rate limiting on authentication attempts allows for brute-force attacks on the shared secrets, potentially leading to unauthorized access or manipulation of webhook events.

Reproduction

The vulnerability can be reproduced by sending repeated authentication attempts to the Nextcloud Talk webhook endpoint with invalid signatures. This can be done manually or automated with a script, targeting the shared secret authentication. The absence of rate limiting will allow multiple attempts to be made in a short period, increasing the chances of successfully guessing a weak shared secret.

Remediation

Users can update to OpenClaw version 2026.3.28 or later, where this vulnerability has been patched.