OpenClaw's BlueBubbles Plugin Exposes Webhooks to Unauthorized Access

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.2

OpenClaw's BlueBubbles Plugin Exposes Webhooks to Unauthorized Access

CVE-2026-29613 GHSA-xc7w-v5x6-cc87

Summary

Old versions of OpenClaw's optional BlueBubbles plugin can be tricked into accepting unauthorized requests from behind a reverse proxy. This can allow attackers to send fake messages or reactions. Update to OpenClaw 2026.2.12 or later to fix the issue.

What to do

Update steipete openclaw to version 2026.2.12.

Affected software

Vendor	Product	Affected versions	Fix available
steipete	openclaw	<= 2026.2.12	2026.2.12
openclaw	openclaw	<= 2026.2.12	–

Original title

Original description

OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of configured webhook passwords. When the gateway operates behind a reverse proxy, unauthenticated remote attackers can inject arbitrary BlueBubbles message and reaction events by reaching the proxy endpoint.

nvd CVSS3.1 5.9

nvd CVSS4.0 8.2

Vulnerability type

CWE-306 Missing Authentication for Critical Function

Published: 5 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026