GHSA-R9Q5-C7QC-P26W: Webhook Replay Vulnerability in OpenClaw Nextcloud Talk Integration

OpenClaw acts as a personal AI assistant that integrates with various platforms, including Nextcloud Talk, to receive and process user messages. The integration relies on incoming webhooks to trigger AI responses and execute tool-based commands. A vulnerability was identified in how these webhooks are processed: the system is stateless regarding message history.

While the application implements cryptographic signature verification using x-nextcloud-talk-signature (HMAC), it does not maintain a record of processed request identifiers (nonces or message IDs). This omission allows valid, signed requests to be captured and replayed against the server. The server accepts these replayed requests as new, legitimate events because the signature remains mathematically valid for the payload.

The root cause is a Missing Replay Protection mechanism (CWE-294) within the webhook handler. Secure webhook implementations typically require two components: identity verification (signature) and uniqueness verification (nonce/timestamp caching). OpenClaw implemented the former but neglected the latter.

Specifically, the onMessage handler in the Nextcloud Talk extension accepts HTTP POST requests and verifies headers. However, prior to version 2026.2.25, the handler lacked a deduplication logic or a state store to track the messageId or token of processed requests. Consequently, if an attacker intercepts a request with a valid x-nextcloud-talk-signature, they can resend it indefinitely. The application logic re-processes the payload, triggering the AI agent's logic flow anew for every submission.

The remediation introduced in version 2026.2.25 adds a persistence layer to track processed messages. A new component, NextcloudTalkReplayGuard, was implemented to check incoming message IDs against a local JSON-based deduplication store.

The fix involves two key changes:

1. Persistent Deduplication: The system now extracts a unique identifier from the webhook payload and checks if it exists in a replay-dedupe log on disk. If the ID is found and the entry is within the Time-To-Live (TTL) window, the request is rejected.
2. Origin Validation: The patch adds a check against the x-nextcloud-talk-backend header to ensure the request originates from the configured Nextcloud instance URL, preventing cross-tenant replays.

Fixed Logic (Simplified):

// src/replay-guard.ts
export function createNextcloudTalkReplayGuard(options) {
  const persistentDedupe = createPersistentDedupe({
    ttlMs: options.ttlMs ?? DEFAULT_REPLAY_TTL_MS,
    // Stores IDs in: state/nextcloud-talk/replay-dedupe/<namespace>.json
    resolveFilePath: (namespace) => path.join(stateDir, ...),
  });
 
  return {
    shouldProcessMessage: async ({ accountId, roomToken, messageId }) => {
      // Unique key combines token and message ID
      const replayKey = `${roomToken}:${messageId}`;
      // Returns false if key already exists
      return await persistentDedupe.checkAndRecord(replayKey, { namespace: accountId });
    },
  };
}

Exploitation requires an attacker to have network visibility to capture traffic between the Nextcloud instance and the OpenClaw server (e.g., via Man-in-the-Middle or access to a proxy log). No authentication credentials are required to replay the request, as the valid signature is contained within the captured headers.

Attack Steps:

1. Interception: The attacker passively monitors traffic to the OpenClaw webhook endpoint.
2. Capture: The attacker records a valid HTTP POST request, preserving the body and the headers x-nextcloud-talk-signature, x-nextcloud-talk-random, and x-nextcloud-talk-backend.
3. Replay: The attacker uses a tool like curl or Burp Suite to resend the exact request to the OpenClaw server.
4. Result: The server validates the signature (which is still valid for that specific body) and processes the message again. The AI agent generates a duplicate response or executes the associated command a second time.

The primary impact is integrity violation regarding application state and resource exhaustion.

• Duplicate Actions: If the replayed message contains a command (e.g., "Schedule a meeting at 2 PM"), the AI agent may attempt to execute this action multiple times. Depending on the downstream system's idempotency, this could create duplicate calendar entries, tasks, or database records.
• API Cost Inflation: AI processing typically involves calls to paid LLM APIs (e.g., OpenAI, Anthropic). An attacker could flood the system with replayed requests to exhaust the victim's API credits.
• Operational Noise: Duplicate processing pollutes logs and chat history, potentially confusing users and complicating audit trails.