CVE-2026-28474 is an incorrect authorization vulnerability found in OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6. The root cause is the plugin's reliance on the mutable actor.name display name field for validating allowlists that restrict access to direct messages (DMs) and chat rooms. Because the display name can be freely changed by any user, an attacker can modify their display name to exactly match that of an allowlisted user ID. This bypasses the intended access controls, granting unauthorized access to private conversations and rooms. The vulnerability does not require any authentication or user interaction, making it trivially exploitable remotely over the network. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) reflects network attack vector, low complexity, no privileges or user interaction needed, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the simplicity of exploitation and critical impact make this a severe threat. The vulnerability affects all versions prior to 2026.2.6, and no patches are linked in the provided data, but upgrading to 2026.2.6 or later is the recommended remediation. This vulnerability highlights the risk of using mutable user attributes for security-critical authorization decisions.

The impact of CVE-2026-28474 is severe for organizations relying on Nextcloud Talk for secure communications. Attackers can impersonate authorized users by changing their display name, bypassing allowlist restrictions and gaining unauthorized access to private direct messages and restricted chat rooms. This compromises confidentiality by exposing sensitive conversations, undermines integrity by allowing attackers to inject or alter messages, and affects availability if attackers disrupt communication channels. The lack of required authentication or user interaction means attackers can exploit this remotely and at scale. Organizations handling sensitive or regulated data, such as government agencies, financial institutions, healthcare providers, and enterprises with confidential communications, face significant risks of data breaches, insider impersonation, and espionage. The vulnerability could also damage organizational reputation and lead to compliance violations. Given Nextcloud's popularity in Europe and other regions for private cloud collaboration, the threat has broad global implications.

To mitigate CVE-2026-28474, organizations should immediately upgrade OpenClaw's Nextcloud Talk plugin to version 2026.2.6 or later, where the authorization logic no longer relies on the mutable display name field. Until patching is possible, administrators should consider implementing additional access controls at the network or application layer, such as IP whitelisting or VPN requirements, to restrict access to Nextcloud Talk. Monitoring logs for suspicious display name changes and unauthorized access attempts can help detect exploitation attempts. Organizations should also educate users about the risk of display name impersonation and enforce policies to limit display name changes if supported. Reviewing and strengthening allowlist validation mechanisms to use immutable, unique user identifiers rather than mutable attributes is critical for long-term security. Finally, applying defense-in-depth strategies, including multi-factor authentication and encrypted communication channels, can reduce overall risk.