Home / Vulnerability Intelligence / CVE-2026-28474

CVE-2026-28474 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 5, 2026

OpenClaw Nextcloud Talk - Broken Access Control

Published: March 5, 2026Updated: March 5, 2026Remote Exploitable

Overview

OpenClaw Nextcloud Talk plugin < 2026.2.6 contains a broken access control caused by equality matching on mutable actor.name display name for allowlist validation, letting attackers bypass DM and room allowlists by impersonation, exploit requires attacker to change display name.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 3.9%(Probability of exploitation in next 30 days)

Impact

Attackers can bypass allowlists and gain unauthorized access to restricted conversations, compromising confidentiality.

Mitigation

Update to version 2026.2.6 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 6, 2026

🔴 CVE-2026-28474 - Critical (9.8) OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28474/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28474
Severity: Critical
CVSS Score: 9.8
Type: broken_access_control
Status: new
EPSS: 3.9%
Social Posts: 1

CWE

CWE-863

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

3.9%Probability of exploitation in the next 30 days