Plataforma
nextcloud
Componente
nextcloud
Corrigido em
2026.2.25
CVE-2026-28449 affects Nextcloud versions prior to 2026.2.25. This vulnerability stems from a lack of durable replay state for Nextcloud Talk webhook events. An attacker can exploit this to replay previously valid, signed webhook requests, potentially causing duplicate inbound message processing and impacting the integrity or availability of the system. The vulnerability was published on 2026-03-19 and a fix is available in version 2026.2.25.
The core impact of CVE-2026-28449 lies in the potential for attackers to manipulate Nextcloud Talk's webhook functionality. By capturing and replaying legitimate, signed webhook requests, an attacker can trigger duplicate processing of inbound messages. This could lead to various consequences, depending on the actions triggered by those webhooks. For example, if a webhook is configured to update user data or trigger automated workflows, replay attacks could result in incorrect data modifications, unintended actions, or denial of service. The blast radius is limited to the functionality exposed through the affected webhooks; however, the impact on individual users or processes could be significant. This vulnerability highlights the importance of replay protection mechanisms in systems that handle sensitive events.
CVE-2026-28449 is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not currently available, suggesting a lower probability of immediate widespread exploitation. However, the vulnerability's nature—replaying signed requests—makes it relatively straightforward to exploit once a valid request is captured. The NVD was published on 2026-03-19.
Organizations heavily reliant on Nextcloud Talk's webhook functionality for integrations with other services are particularly at risk. This includes those using webhooks for automated workflows, user provisioning, or real-time notifications. Environments with less stringent security controls and those that have not regularly audited their webhook configurations are also more vulnerable.
• nextcloud / server:
journalctl -u nextcloud -f | grep -i webhook• nextcloud / server:
find /var/www/nextcloud/apps/talk/ -name 'webhook.php' -print• nextcloud / server:
curl -s -I <your_nextcloud_url>/index.php/talk/webhooks | grep -i 'replay-attack'disclosure
Status do Exploit
EPSS
0.06% (percentil 18%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-28449 is to upgrade Nextcloud to version 2026.2.25 or later, which includes the fix for this replay vulnerability. If immediate upgrading is not feasible, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective without deep inspection of webhook payloads, carefully reviewing and auditing webhook configurations is crucial. Ensure that webhooks are only triggered by trusted sources and that the actions they perform are carefully controlled. After upgrading, verify the integrity of recent Talk events by reviewing logs and confirming that no duplicate messages have been processed.
Actualice su instancia de OpenClaw a la versión 2026.2.25 o posterior para mitigar el riesgo de ataques de repetición de webhook. Esta actualización implementa la supresión duradera de repeticiones, previniendo que los atacantes retransmitan solicitudes de webhook válidas y causen procesamiento duplicado de mensajes.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-28449 is a vulnerability in Nextcloud versions prior to 2026.2.25 that allows attackers to replay signed webhook requests, leading to duplicate message processing.
You are affected if you are running Nextcloud versions 0.0.0–2026.2.25 and utilize Nextcloud Talk webhooks.
Upgrade Nextcloud to version 2026.2.25 or later to resolve the vulnerability.
There is no confirmed active exploitation of CVE-2026-28449 at this time, but the vulnerability is relatively easy to exploit.
Refer to the official Nextcloud security advisory for detailed information and updates: [https://nextcloud.com/security/advisories](https://nextcloud.com/security/advisories)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.