Nextcloud Talk, Allowlist Bypass via Display Name Spoofing, CVE-2026-XXXXX (Critical)

Listen to this Post

The vulnerability resides in the `@openclaw/nextcloud-talk` plugin, an optional component for Nextcloud that handles chat and direct messages (DMs) . The plugin processes incoming webhooks which contain two key identifiers: a stable, immutable `actor.id` (a unique user ID) and a mutable, user-controlled `actor.name` (the display name). In affected versions, the plugin’s allowlist mechanism, designed to restrict DMs and room access to specific users, incorrectly performed its authorization check against the `actor.name` field instead of the actor.id. Because the display name is fully controllable by the user, an attacker could simply change their own display name to exactly match the `actor.name` of an allowlisted user. This action would trick the plugin into granting the attacker the same access privileges as the legitimate allowlisted user, allowing them to bypass access controls, join private rooms, and send direct messages to users from whom they are normally restricted .

dailycve form:

Platform: @openclaw/nextcloud-talk (npm)
Version: <= 2026.2.2
Vulnerability: Allowlist Bypass
Severity: Critical
date: 2026-02-17

Prediction: 2026-02-24

(end of form)

What Undercode Say:

Analytics:

CVSS 9.3. Webhook auth bypass via mutable field .

Check installed version
npm list @openclaw/nextcloud-talk
Check for vulnerable versions in a project
grep -r "\"@openclaw/nextcloud-talk\":" package.json

How Exploit:

Attacker changes own display name. Matches allowlisted target user. Gains unauthorized DM/room access.

// Conceptual API call to change display name
// (Actual endpoint depends on Nextcloud implementation)
fetch('/ocs/v2.php/cloud/users/attacker', {
method: 'PUT',
headers: { 'OCS-APIRequest': 'true' },
body: JSON.stringify({ displayname: "AllowlistedUser Name" })
});

Protection from this CVE

Upgrade to version 2026.2.6 or later .

Upgrade command
npm install @openclaw/nextcloud-talk@^2026.2.6
Verify fix
npm list @openclaw/nextcloud-talk

Impact:

Unauthorized private access. DM/room data leaks. Privacy violations .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top