90 matches found
Incorrect Authorization
Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the isAllowedParsedChatSender process. An attacker can gain unauthorized access to direct messaging or reaction features by sending messages from...
OpenClaw: BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty
Summary BlueBubbles is an optional OpenClaw channel plugin. A configuration-sensitive access-control mismatch allowed DM senders to be treated as authorized when dmPolicy was pairing or allowlist and allowFrom was empty/unset. Severity Rationale Medium Severity is set to medium because: - this...
GHSA-JWF4-8WF4-JF2M OpenClaw: BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty
Summary BlueBubbles is an optional OpenClaw channel plugin. A configuration-sensitive access-control mismatch allowed DM senders to be treated as authorized when dmPolicy was pairing or allowlist and allowFrom was empty/unset. Severity Rationale Medium Severity is set to medium because: - this...
Incorrect Authorization
Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another account's direct message pairing b...
PT-2026-26004
Summary BlueBubbles is an optional OpenClaw channel plugin. A configuration-sensitive access-control mismatch allowed DM senders to be treated as authorized when dmPolicy was pairing or allowlist and allowFrom was empty/unset. Severity Rationale Medium Severity is set to medium because: - this...
OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallback
Summary In [email protected], BlueBubbles group authorization could incorrectly treat DM pairing-store identities as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist. A sender that was only DM-paired not explicitly present in groupAllowFrom could pass group sender check...
GHSA-25PW-4H6W-QWVM OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallback
Summary In [email protected], BlueBubbles group authorization could incorrectly treat DM pairing-store identities as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist. A sender that was only DM-paired not explicitly present in groupAllowFrom could pass group sender check...
Missing Authentication for Critical Function
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the webhook process of the optional BlueBubbles plugin when password authentication is not configured for incoming webhook events. An...
Missing Authentication for Critical Function
Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the webhook process of the optional BlueBubbles plugin when password authentication is not configured for incoming webhook...
GHSA-5MX2-2MGW-X8RM OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)
Summary BlueBubbles webhook auth in the optional beta iMessage plugin allowed a passwordless fallback path. In some reverse-proxy/local routing setups, this could allow unauthenticated webhook events. Affected Component and Scope - Component: extensions/bluebubbles webhook handler - Scope: only...
OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)
Summary BlueBubbles webhook auth in the optional beta iMessage plugin allowed a passwordless fallback path. In some reverse-proxy/local routing setups, this could allow unauthenticated webhook events. Affected Component and Scope - Component: extensions/bluebubbles webhook handler - Scope: only...
OpenClaw has an unspecified vulnerability (CNVD-2026-13381)
OpenClaw is openclaw open source an intelligent artificial assistant. OpenClaw has a security vulnerability that originates from the BlueBubbles iMessage channel plugin accepting webhook requests as authenticated based only on the TCP peer address as the loopback address i.e., when a missing or...
OpenClaw < 2026.2.13 Multiple Vulnerabilities
The version of the OpenClaw AI assistant installed on the remote host is prior to 2026.2.13. It is, therefore, affected by multiple vulnerabilities: - The optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback,...
CVE-2026-26316
OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback 127.0.0.1, ::1, ::ffff:127.0.0.1 even when the configured webhook secret was missing or...
CVE-2026-26316
OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback 127.0.0.1, ::1, ::ffff:127.0.0.1 even when the configured webhook secret was missing or...
CVE-2026-26316
OpenClaw’s BlueBubbles iMessage channel plugin is vulnerable to webhook auth bypass prior to version 2026.2.13. The plugin could accept webhook requests authenticated only by loopback TCP addresses (127.0.0.1, ::1, ::ffff:127.0.0.1) even when the webhook secret is missing or incorrect. The patch ...
CVE-2026-26316 OpenClaw has BlueBubbles webhook auth bypass via loopback proxy trust
OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback 127.0.0.1, ::1, ::ffff:127.0.0.1 even when the configured webhook secret was missing or...
CVE-2026-26316 OpenClaw has BlueBubbles webhook auth bypass via loopback proxy trust
OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback 127.0.0.1, ::1, ::ffff:127.0.0.1 even when the configured webhook secret was missing or...
CVE-2026-26316 OpenClaw has BlueBubbles webhook auth bypass via loopback proxy trust
OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback 127.0.0.1, ::1, ::ffff:127.0.0.1 even when the configured webhook secret was missing or...
OpenClaw 安全漏洞
OpenClaw is openclaw open source an intelligent artificial assistant. OpenClaw has a security vulnerability that originates from the BlueBubbles iMessage channel plugin accepting webhook requests as authenticated based only on the TCP peer address as the loopback address i.e., when a missing or...