CVE-2026-45577 Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass

Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolv...

Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass

Neotoma versions starting at v0.6.0 can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the...

CVE-2026-26316 OpenClaw has BlueBubbles webhook auth bypass via loopback proxy trust

OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback 127.0.0.1, ::1, ::ffff:127.0.0.1 even when the configured webhook secret was missing or...

CVE-2026-26316 OpenClaw has BlueBubbles webhook auth bypass via loopback proxy trust

OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback 127.0.0.1, ::1, ::ffff:127.0.0.1 even when the configured webhook secret was missing or...

CVE-2026-26316 OpenClaw has BlueBubbles webhook auth bypass via loopback proxy trust

OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback 127.0.0.1, ::1, ::ffff:127.0.0.1 even when the configured webhook secret was missing or...