CVE-2026-26316 OpenClaw has BlueBubbles webhook auth bypass via loopback proxy trust

OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback 127.0.0.1, ::1, ::ffff:127.0.0.1 even when the configured webhook secret was missing or...

OpenClaw 安全漏洞

OpenClaw is openclaw open source an intelligent artificial assistant. OpenClaw has a security vulnerability that originates from the BlueBubbles iMessage channel plugin accepting webhook requests as authenticated based only on the TCP peer address as the loopback address i.e., when a missing or...

GHSA-G34W-4XQQ-H79M OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities

Summary Under iMessage groupPolicy=allowlist, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Details Affected component: src/imessage/monitor/monitor-provider.ts. Vulnerable logic derived effectiveGroupAllowFr...

OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities

Summary Under iMessage groupPolicy=allowlist, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Details Affected component: src/imessage/monitor/monitor-provider.ts. Vulnerable logic derived effectiveGroupAllowFr...

PT-2026-20371

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14 clawdbot versions prior to 2026.1.24-3 Description When iMessage is configured with groupPolicy=allowlist, group authorization could be satisfied by sender identities from the DM pairing store, extending DM...

EUVD-2020-30664

Malware in sbrugna...

EUVD-2012-3680

Malware in sbrugna...

EUVD-2019-18021

Malware in sbrugna...

EUVD-2019-18049

Malware in sbrugna...

EUVD-2020-30602

Malware in sbrugna...

EUVD-2014-4280

Malware in sbrugna...

EUVD-2020-12885

Malware in sbrugna...

EUVD-2020-25109

Malware in sbrugna...

EUVD-2021-17821

Malware in sbrugna...

EUVD-2021-7235

Malicious code in bioql PyPI...

📄 Glass Cage Zero-Click iMessage Exploit Details

Glass Cage, a vulnerability chain discovered on iOS 18.2, enables an attacker to compromise a device silently by sending a single malicious PNG image via iMessage. The exploit bypasses multiple layers of Apple's defenses, including BlastDoor, WebKit sandboxing, and CoreMedia memory protections...

Apple iMessage Zero-Click Key Theft / Remote Code Execution

This is a strategic public disclosure of a zero-click iMessage exploit chain that was discovered live on iOS 18.2 and remained unpatched through iOS 18.4. It enabled Secure Enclave key theft, wormable remote code execution, and undetectable crypto wallet exfiltration. Despite responsible...

NICKNAME: Zero-Click iMessage Exploit Targeted Key Figures in US, EU

iVerify's NICKNAME discovery reveals a zero-click iMessage flaw exploited in targeted attacks on US & EU high-value individuals…...

CVE-2021-30904

A sync issue was addressed with improved state validation. This issue is fixed in macOS Monterey 12.0.1. A user's messages may continue to sync after the user has signed out of iMessage...

CVE-2021-1771

This issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave. A user that is removed from an iMessage group could rejoin the group...