wid-sec-w-2026-0542 · Published 2026-02-25 · View on BSI CERT-Bund ↗

OpenClaw: Multiple Vulnerabilities

CVSS 8.7 HIGH

Risk Summary

OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound message processing and cause integrity or availability issues.

CVEs (16)

CVE-2026-28449 CVE-2026-32005 CVE-2026-32012 CVE-2026-32013 CVE-2026-32025 CVE-2026-32028 CVE-2026-32042 CVE-2026-32043 CVE-2026-32050 CVE-2026-32054 CVE-2026-32057 CVE-2026-32065 CVE-2026-32898 CVE-2026-32899 CVE-2026-35632 CVE-2026-3691

Affected Vendors

Open Source

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more