Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
BlueBubbles iMessage Plugin Exposes Webhooks to Unauthenticated Access
GHSA-5mx2-2mgw-x8rm
Summary
The BlueBubbles beta iMessage plugin in OpenClaw has a security flaw that allows unauthorized access to webhooks. This could happen if you're using the plugin without password authentication for webhooks. To fix this, update to the latest version of OpenClaw (>=2026.2.21) and ensure that webhooks include a password for authentication.
What to do
- Update openclaw openclaw to version 2026.2.21.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| openclaw | openclaw | <= 2026.2.21 | 2026.2.21 |
Original title
OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)
Original description
### Summary
BlueBubbles webhook auth in the optional beta iMessage plugin allowed a passwordless fallback path. In some reverse-proxy/local routing setups, this could allow unauthenticated webhook events.
### Affected Component and Scope
- Component: `extensions/bluebubbles` webhook handler
- Scope: only deployments using the optional BlueBubbles plugin where webhook password auth was not configured for incoming webhook events
### Affected Packages / Versions
- Package: `openclaw/openclaw` (npm)
- Latest published npm version at triage time (2026-02-21): `2026.2.19-2`
- Affected structured range: `<=2026.2.19-2`
- Fixed on `main`; planned patched release: `2026.2.21` (`>=2026.2.21`)
### Details
The vulnerable implementation had multiple auth branches, including a passwordless fallback with loopback/proxy heuristics.
The fix now uses one authentication codepath:
- inbound webhook token/guid must match `channels.bluebubbles.password`
- webhook target matching is consolidated to shared plugin-sdk logic
- BlueBubbles config validation now requires `password` when `serverUrl` is set
### Impact
BlueBubbles is an optional beta iMessage plugin, and onboarding/channel-add flows already require a password. Practical exposure is mainly custom/manual configurations that omitted webhook password authentication.
### Remediation
- Upgrade to a release that includes this patch (`>=2026.2.21`, planned).
- Ensure BlueBubbles webhook delivery includes a matching password (`?password=<password>` or `x-password`).
### Fix Commit(s)
- `6b2f2811dc623e5faaf2f76afaa9279637174590`
- `283029bdea23164ab7482b320cb420d1b90df806`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.21`) so once npm release is out, advisory publish can proceed without additional ticket edits.
OpenClaw thanks @zpbrent for reporting.
BlueBubbles webhook auth in the optional beta iMessage plugin allowed a passwordless fallback path. In some reverse-proxy/local routing setups, this could allow unauthenticated webhook events.
### Affected Component and Scope
- Component: `extensions/bluebubbles` webhook handler
- Scope: only deployments using the optional BlueBubbles plugin where webhook password auth was not configured for incoming webhook events
### Affected Packages / Versions
- Package: `openclaw/openclaw` (npm)
- Latest published npm version at triage time (2026-02-21): `2026.2.19-2`
- Affected structured range: `<=2026.2.19-2`
- Fixed on `main`; planned patched release: `2026.2.21` (`>=2026.2.21`)
### Details
The vulnerable implementation had multiple auth branches, including a passwordless fallback with loopback/proxy heuristics.
The fix now uses one authentication codepath:
- inbound webhook token/guid must match `channels.bluebubbles.password`
- webhook target matching is consolidated to shared plugin-sdk logic
- BlueBubbles config validation now requires `password` when `serverUrl` is set
### Impact
BlueBubbles is an optional beta iMessage plugin, and onboarding/channel-add flows already require a password. Practical exposure is mainly custom/manual configurations that omitted webhook password authentication.
### Remediation
- Upgrade to a release that includes this patch (`>=2026.2.21`, planned).
- Ensure BlueBubbles webhook delivery includes a matching password (`?password=<password>` or `x-password`).
### Fix Commit(s)
- `6b2f2811dc623e5faaf2f76afaa9279637174590`
- `283029bdea23164ab7482b320cb420d1b90df806`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.21`) so once npm release is out, advisory publish can proceed without additional ticket edits.
OpenClaw thanks @zpbrent for reporting.
ghsa CVSS4.0
6.9
Vulnerability type
CWE-306
Missing Authentication for Critical Function
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026