Platform
nodejs
Component
openclaw
Fixed in
2026.3.28
2026.3.28
CVE-2026-33580 affects Nextcloud Talk, specifically its webhook functionality. This vulnerability arises from a lack of throttling on failed webhook signature validations, allowing an attacker to potentially brute-force a weak shared secret used for authentication. Versions of Nextcloud Talk prior to 2026.3.28 are vulnerable, and a fix has been released in version 2026.3.28.
The primary impact of CVE-2026-33580 is the potential for an attacker to forge inbound webhook events to Nextcloud Talk. This could lead to unauthorized actions within the Talk application, such as creating or modifying conversations, sending messages as another user, or triggering other actions dependent on the webhook integration. The severity is amplified if the shared secret used for webhook authentication is weak or easily guessable. Successful exploitation requires the attacker to be able to reach the webhook endpoint, which might be exposed externally or accessible within the same network as the Nextcloud instance.
This vulnerability was publicly disclosed on 2026-03-31. There is currently no indication of active exploitation in the wild, nor is it listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature makes it likely that PoCs will emerge. The EPSS score is likely to be assessed as low to medium, given the requirement for access to the webhook endpoint and the potential for brute-forcing a weak secret.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33580 is to upgrade Nextcloud Talk to version 2026.3.28 or later. This version includes a fix that throttles repeated webhook authentication failures, preventing brute-force attacks. If upgrading is not immediately feasible, consider temporarily restricting access to the webhook endpoint to trusted sources only. Review and strengthen the shared secret used for webhook authentication; use a strong, randomly generated secret. Monitor Nextcloud Talk logs for unusual webhook activity.
Update OpenClaw to version 2026.3.28 or later. This version implements rate limiting on webhook authentication, mitigating the risk of brute-force attacks. See the security announcement and the commit on GitHub for more details on the fix.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33580 is a medium severity vulnerability in Nextcloud Talk where a lack of throttling allows attackers to brute-force weak webhook secrets, potentially forging events.
You are affected if you are running Nextcloud Talk versions 2026.3.24 or earlier. Upgrade to 2026.3.28 or later to resolve the issue.
Upgrade Nextcloud Talk to version 2026.3.28 or later. Also, review and strengthen your webhook shared secret.
There is currently no evidence of active exploitation in the wild, but the vulnerability's nature makes it a potential target.
Refer to the official Nextcloud security advisory for CVE-2026-33580 on the Nextcloud website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.