20 matches found
CVE-2026-32896
OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy...
CVE-2026-32896 OpenClaw < 2026.2.21 - Unauthenticated Webhook Access via Passwordless Fallback in BlueBubbles Plugin
The BlueBubbles webhook handler in OpenClaw versions prior to 2026.2.21 contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the...
CVE-2026-32896 OpenClaw < 2026.2.21 - Unauthenticated Webhook Access via Passwordless Fallback in BlueBubbles Plugin
The BlueBubbles webhook handler in OpenClaw versions prior to 2026.2.21 contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the...
CVE-2026-32896
The issue is OpenClaw versions prior to 2026.2.21 where the BlueBubbles webhook handler contains a passwordless fallback authentication path. This allows unauthenticated webhook events in certain reverse-proxy or local routing configurations by exploiting loopback/proxy heuristics, enabling an at...
CVE-2026-22170
OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by...
CVE-2026-22170
OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by...
CVE-2026-22170 OpenClaw < 2026.2.22 BlueBubbles - Access Control Bypass via Empty allowFrom Configuration
OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by...
CVE-2026-22170
OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass caused by an empty allowFrom configuration. This misconfiguration makes dmPolicy pairing and allowlist restrictions ineffective, enabling remote attackers to send direct messages to BlueBubb...
CVE-2026-22170
OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by...
Missing Authentication for Critical Function
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the webhook process of the BlueBubbles plugin due to trusting the loopback remoteAddress without validating forwarding headers. An attacker...
CVE-2026-29613
OpenClaw is affected in versions prior to 2026.2.12, where the BlueBubbles optional plugin webhook handler authenticates requests only by loopback remoteAddress and does not validate forwarding headers. This allows an unauthenticated attacker, especially when behind a reverse proxy, to reach the ...
Incorrect Authorization
Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the isAllowedParsedChatSender process. An attacker can gain unauthorized access to direct messaging or reaction features by sending messages from...
GHSA-JWF4-8WF4-JF2M OpenClaw: BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty
Summary BlueBubbles is an optional OpenClaw channel plugin. A configuration-sensitive access-control mismatch allowed DM senders to be treated as authorized when dmPolicy was pairing or allowlist and allowFrom was empty/unset. Severity Rationale Medium Severity is set to medium because: - this...
Incorrect Authorization
Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another account's direct message pairing b...
GHSA-5MX2-2MGW-X8RM OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)
Summary BlueBubbles webhook auth in the optional beta iMessage plugin allowed a passwordless fallback path. In some reverse-proxy/local routing setups, this could allow unauthenticated webhook events. Affected Component and Scope - Component: extensions/bluebubbles webhook handler - Scope: only...
Missing Authentication for Critical Function
Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the webhook process of the optional BlueBubbles plugin when password authentication is not configured for incoming webhook...
Missing Authentication for Critical Function
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the webhook process of the optional BlueBubbles plugin when password authentication is not configured for incoming webhook events. An...
OpenClaw < 2026.2.13 Multiple Vulnerabilities
The version of the OpenClaw AI assistant installed on the remote host is prior to 2026.2.13. It is, therefore, affected by multiple vulnerabilities: - The optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback,...
OpenClaw 安全漏洞
OpenClaw is openclaw open source an intelligent artificial assistant. OpenClaw has a security vulnerability that originates from the BlueBubbles iMessage channel plugin accepting webhook requests as authenticated based only on the TCP peer address as the loopback address i.e., when a missing or...
Authentication Bypass Using an Alternate Path or Channel
Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can...