Nextcloud Vulnerability (CVE-2026-28474)

Overview

A critical security vulnerability has been identified in the OpenClaw Nextcloud Talk plugin. This flaw allows an attacker to bypass configured security allowlists, potentially gaining unauthorized access to private direct messages (DMs) and restricted chat rooms.

Vulnerability Explanation

In simple terms, the plugin’s security check contains a logic flaw. Administrators can create allowlists to restrict conversations to specific users. The system is supposed to check if a user’s unique, unchanging account ID is on the list before granting access.

The vulnerability exists because, in affected versions, the system incorrectly performs this check against a user’s mutable display name instead. An attacker can simply change their displayed name in their Nextcloud profile to match the unique ID of an allowlisted user. The flawed validation then treats the attacker as the authorized user, granting them access they should not have.

Impact

The impact of this vulnerability is severe. Successful exploitation allows an unauthorized user to:

• Access private direct messages intended for other users.
• Join password-protected or otherwise restricted group conversations and rooms.
• Potentially read sensitive, confidential, or private communications.
• Violate the expected privacy and security boundaries within the Nextcloud Talk instance.

This constitutes a critical failure of access controls, with a CVSS score of 9.8 (Critical).

Remediation and Mitigation

Immediate action is required to secure affected systems.

Primary Remediation: The fix is to upgrade the OpenClaw Nextcloud Talk plugin. All users must update to version 2026.2.6 or later, where the validation logic has been corrected to use the immutable user ID for allowlist checks.

Actionable Steps:

1. Update Immediately: Log into your Nextcloud instance as an administrator. Navigate to the Apps section, find the “OpenClaw Talk” plugin, and update it to version 2026.2.6 or the latest available version.
2. Verify the Update: After updating, confirm the installed version is 2026.2.6 or higher in the app management panel.
3. Audit Access Logs (Recommended): Review logs for the Nextcloud Talk application for any suspicious activity, particularly unexpected user accesses to private rooms or DMs around the time of the vulnerability’s disclosure.
4. Inform Users: Consider notifying users of the update, especially if your instance handles highly sensitive communications, and remind them to report any unusual activity.

Important Note: Simply advising users not to change their display name is not a sufficient mitigation. The core flaw is in the plugin’s code, and it must be patched.