Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
OpenClaw BlueBubbles Webhook Bypass in Older Versions
CVE-2026-32896
Summary
Versions of OpenClaw's BlueBubbles plugin before 2026.2.21 have a security flaw that allows attackers to send fake messages without logging in. This can happen when the plugin is set up behind certain types of routers or proxies. To stay secure, update to the latest version of the plugin.
Original title
OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local ro...
Original description
OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy heuristics to send unauthenticated webhook events to the BlueBubbles plugin.
nvd CVSS3.1
4.8
nvd CVSS4.0
6.3
Vulnerability type
CWE-306
Missing Authentication for Critical Function
- https://github.com/openclaw/openclaw/commit/283029bdea23164ab7482b320cb420d1b90d...
- https://github.com/openclaw/openclaw/commit/6b2f2811dc623e5faaf2f76afaa927963717...
- https://github.com/openclaw/openclaw/security/advisories/GHSA-5mx2-2mgw-x8rm
- https://www.vulncheck.com/advisories/openclaw-unauthenticated-webhook-access-via...
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026