Platform
nextcloud
Component
nextcloud
Fixed in
2026.2.25
CVE-2026-28449 affects Nextcloud versions prior to 2026.2.25. This vulnerability stems from a lack of durable replay state for Nextcloud Talk webhook events. An attacker can exploit this to replay previously valid, signed webhook requests, potentially causing duplicate inbound message processing and impacting the integrity or availability of the system. The vulnerability was published on 2026-03-19 and a fix is available in version 2026.2.25.
The core impact of CVE-2026-28449 lies in the potential for attackers to manipulate Nextcloud Talk's webhook functionality. By capturing and replaying legitimate, signed webhook requests, an attacker can trigger duplicate processing of inbound messages. This could lead to various consequences, depending on the actions triggered by those webhooks. For example, if a webhook is configured to update user data or trigger automated workflows, replay attacks could result in incorrect data modifications, unintended actions, or denial of service. The blast radius is limited to the functionality exposed through the affected webhooks; however, the impact on individual users or processes could be significant. This vulnerability highlights the importance of replay protection mechanisms in systems that handle sensitive events.
CVE-2026-28449 is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not currently available, suggesting a lower probability of immediate widespread exploitation. However, the vulnerability's nature—replaying signed requests—makes it relatively straightforward to exploit once a valid request is captured. The NVD was published on 2026-03-19.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28449 is to upgrade Nextcloud to version 2026.2.25 or later, which includes the fix for this replay vulnerability. If immediate upgrading is not feasible, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective without deep inspection of webhook payloads, carefully reviewing and auditing webhook configurations is crucial. Ensure that webhooks are only triggered by trusted sources and that the actions they perform are carefully controlled. After upgrading, verify the integrity of recent Talk events by reviewing logs and confirming that no duplicate messages have been processed.
Update your OpenClaw instance to version 2026.2.25 or later to mitigate the risk of webhook replay attacks. This update implements durable replay suppression, preventing attackers from retransmitting valid webhook requests and causing duplicate message processing.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28449 is a vulnerability in Nextcloud versions prior to 2026.2.25 that allows attackers to replay signed webhook requests, leading to duplicate message processing.
You are affected if you are running Nextcloud versions 0.0.0–2026.2.25 and utilize Nextcloud Talk webhooks.
Upgrade Nextcloud to version 2026.2.25 or later to resolve the vulnerability.
There is no confirmed active exploitation of CVE-2026-28449 at this time, but the vulnerability is relatively easy to exploit.
Refer to the official Nextcloud security advisory for detailed information and updates: [https://nextcloud.com/security/advisories](https://nextcloud.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.