What is an allowlist bypass vulnerability?

An allowlist bypass vulnerability occurs when a security mechanism designed to restrict access to a defined set of entities can be circumvented. In this case, the vulnerability allows unauthorized users to gain access to resources they should not be able to access.

How does CVE-2026-28474 affect Nextcloud Talk?

CVE-2026-28474 allows an attacker to bypass allowlist restrictions in Nextcloud Talk by changing their display name to match an authorized user's ID. This grants them unauthorized access to restricted conversations and direct messages.

What is the fix for CVE-2026-28474?

The fix for CVE-2026-28474 is to update the OpenClaw Nextcloud Talk plugin to version 2026.2.6 or later. This version includes a patch that properly validates user identities against the allowlist, preventing the display name spoofing attack.

How can I update OpenClaw Nextcloud Talk?

You can update OpenClaw Nextcloud Talk using Composer, a dependency management tool for PHP. The command `composer update openclaw` will update the plugin to the latest version, including the fix for CVE-2026-28474.

NextGuard

Back to blog

CVSS 9.8CVE-2026-28474

OpenClaw Nextcloud Talk Allowlist Bypass (CVE-2026-28474)

CVE-2026-28474: OpenClaw Nextcloud Talk < 2026.2.6 allowlist bypass via display name spoofing. Patch to 2026.2.6 immediately to prevent unauthorized access.

Published on April 2, 2026

A critical vulnerability, CVE-2026-28474, affects OpenClaw's Nextcloud Talk plugin. This flaw allows attackers to bypass allowlist restrictions by spoofing display names. Users of affected versions are at risk, and an immediate patch to version 2026.2.6 is available.

This is a critical vulnerability with a CVSS score of 9.8, indicating extreme risk.

What is Openclaw?

Openclaw is a component for php, often used as a plugin within larger applications like Nextcloud. It provides additional functionality, in this case, related to Nextcloud Talk. Due to its role in access control, vulnerabilities in Openclaw can have significant security implications. To learn more, you can search all openclaw CVEs.

CVE-2026-28474: OpenClaw Nextcloud Talk Allowlist Bypass

CVSS9.8

Affected versionsThis vulnerability affects OpenClaw Nextcloud Talk plugin versions prior to 2026.2.6. Specifically, any installation using allowlists for access control in direct messages or rooms is vulnerable.

Critical vulnerability, requiring immediate attention.

EPSS score of 0.052 indicates a low probability of exploitation.

The vulnerability stems from improper validation of user identities against allowlists. An attacker can change their display name to match a user ID on the allowlist, thereby gaining unauthorized access to direct messages and restricted rooms.

How to fix CVE-2026-28474 in Openclaw

Patch immediately

1.Update the OpenClaw Nextcloud Talk plugin to version 2026.2.6 or later.

Update OpenClaw via Composer

composer update openclaw

Workaround: There is no known workaround. Applying the patch is the only way to remediate this vulnerability.

NextGuard automatically flags CVE-2026-28474 if Openclaw appears in any of your monitored projects — no manual lookup required.

Stay ahead of php vulnerabilities

Proactively detect and respond to php security threats. Use NextGuard to monitor your php dependencies and receive real-time alerts.

Compare Plans

Frequently asked questions

This vulnerability poses a significant risk to Nextcloud Talk installations using OpenClaw. Ensure you update to version 2026.2.6 immediately to mitigate the risk of unauthorized access. You can see all php vulnerabilities on our platform.