EUVD-2026-29158

A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component bluebubbles Webhook. Performing a manipulation results in improper authentication. It is possible to...

CVE-2026-8305

A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component bluebubbles Webhook. Performing a manipulation results in improper authentication. It is possible to...

Improper Authentication

Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Improper Authentication via the handleBlueBubblesWebhookRequest function. An attacker can gain unauthorized access and potentially compromise confidentiality, integrity, an...

CVE-2026-8305 OpenClaw bluebubbles Webhook monitor.ts handleBlueBubblesWebhookRequest improper authentication

A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component bluebubbles Webhook. Performing a manipulation results in improper authentication. It is possible to...

CVE-2026-8305 OpenClaw bluebubbles Webhook monitor.ts handleBlueBubblesWebhookRequest improper authentication

A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component bluebubbles Webhook. Performing a manipulation results in improper authentication. It is possible to...

CVE-2026-8305

A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component bluebubbles Webhook. Performing a manipulation results in improper authentication. It is possible to...

CVE-2026-8305

The CVE refers to OpenClaw (bluebubbles Webhook) with the vulnerable element in extensions/bluebubbles/src/monitor.ts, function handleBlueBubblesWebhookRequest. The issue is improper authentication allowing remote initiation. It affects builds up to 2026.1.24; upgrading to version 2026.2.12 fixes...

OpenClaw 授权问题漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.1.24 contained an authorization issue vulnerability. This vulnerability originated from the handleBlueBubblesWebhookRequest function in the extensions/bluebubbles/src/monitor.ts...

Incorrect Authorization

Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the requireMention process. An attacker can trigger agent-visible system events in group chats that are intended to be mention-gated by sending...

GHSA-MW7W-G3MG-XQM7 OpenClaw: BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events

Summary BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details...

OpenClaw: BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events

Summary BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details...

OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing

Summary BlueBubbles Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Password Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details...

Weak Password Requirements

Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Weak Password Requirements via the authentication process. An attacker can bypass intended authentication mechanisms by sending a high volume of password guesses without...

GHSA-XQ8G-HGH6-87HV OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing

Summary BlueBubbles Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Password Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details...

CVE-2026-32896

OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy...

CVE-2026-22170

OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by...

CVE-2026-32011

OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers for BlueBubbles and Google Chat that parse request bodies before performing authentication and signature validation. Unauthenticated attackers can exploit this by sending slow or oversized request...

OpenClaw Access Control Error Vulnerability (CNVD-2026-16041)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an Access Control Error vulnerability that stems from the BlueBubbles webhook handler containing a passwordless fallback authentication path, which can be exploited by an attacker to cause an...

Duplicate Advisory: OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5mx2-2mgw-x8rm. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path...

EUVD-2026-13972

OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy...