GHSA-3FQR-4CG8-H96Q OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints

Summary Browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. Impact A malicious website can trigger unauthorized...

PT-2026-20368

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14 clawdbot versions prior to 2026.1.24-3 Description Browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote...

PT-2026-23561

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14 Description The software contains a webhook signature-verification bypass in the voice-call extension. This allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is enabled...

OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable)

Summary OpenClaw's SSRF protection could be bypassed using full-form IPv4-mapped IPv6 literals such as 0:0:0:0:0:ffff:7f00:1 which is 127.0.0.1. This could allow requests that should be blocked loopback / private network / link-local metadata to pass the SSRF guard. - Vulnerable component: SSRF...

GHSA-JRVC-8FF5-2F9F OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable)

Summary OpenClaw's SSRF protection could be bypassed using full-form IPv4-mapped IPv6 literals such as 0:0:0:0:0:ffff:7f00:1 which is 127.0.0.1. This could allow requests that should be blocked loopback / private network / link-local metadata to pass the SSRF guard. - Vulnerable component: SSRF...

OpenClaw Gateway tool allowed unrestricted gatewayUrl override

Summary The Gateway tool accepted a tool-supplied gatewayUrl without sufficient restrictions, which could cause the OpenClaw host to attempt outbound WebSocket connections to user-specified targets. Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.2.14 planned What...

Incorrect Authorization

Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Incorrect Authorization via the webhook authentication. An attacker can gain unauthorized access and inject arbitrary webhook events by sending requests from a loopback...

OpenClaw BlueBubbles webhook auth bypass via loopback proxy trust

Summary In affected versions, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback 127.0.0.1, ::1, ::ffff:127.0.0.1 even when the configured webhook secret was missing or incorrect. This does not affect t...

GHSA-PCHC-86F6-8758 OpenClaw BlueBubbles webhook auth bypass via loopback proxy trust

Summary In affected versions, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback 127.0.0.1, ::1, ::ffff:127.0.0.1 even when the configured webhook secret was missing or incorrect. This does not affect t...

GHSA-MP5H-M6QJ-6292 OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass

Summary In Telegram webhook mode, if channels.telegram.webhookSecret is not set, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by an attacker, this can allow forged Telegram updates for example...

GHSA-XC7W-V5X6-CC87 OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust)

Summary The BlueBubbles webhook handler previously treated any request whose socket remoteAddress was loopback 127.0.0.1, ::1, ::ffff:127.0.0.1 as authenticated. When OpenClaw Gateway is behind a reverse proxy Tailscale Serve/Funnel, nginx, Cloudflare Tunnel, ngrok, the proxy typically connects t...

OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust)

Summary The BlueBubbles webhook handler previously treated any request whose socket remoteAddress was loopback 127.0.0.1, ::1, ::ffff:127.0.0.1 as authenticated. When OpenClaw Gateway is behind a reverse proxy Tailscale Serve/Funnel, nginx, Cloudflare Tunnel, ngrok, the proxy typically connects t...

OpenClaw's Chrome extension relay binds publicly due to wildcard treated as loopback

Summary The Chrome extension relay ensureChromeExtensionRelayServer previously treated wildcard hosts 0.0.0.0 / :: as loopback, which could make it bind the relay HTTP/WS server to all interfaces when a wildcard cdpUrl was passed. Impact If configured with a wildcard cdpUrl, relay HTTP endpoints...

GHSA-MR32-VWC2-5J6H OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access

Summary In affected versions, the Browser Relay /cdp WebSocket endpoint did not require an authentication token. As a result, a website running in the browser could potentially connect to the local relay via loopback WebSocket and use CDP to access cookies from other open tabs and run JavaScript ...

OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access

Summary In affected versions, the Browser Relay /cdp WebSocket endpoint did not require an authentication token. As a result, a website running in the browser could potentially connect to the local relay via loopback WebSocket and use CDP to access cookies from other open tabs and run JavaScript ...

PT-2026-23535

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.1.20 through 2026.2.0 moltbot versions 0.1.0 and earlier Description The Browser Relay /cdp WebSocket endpoint did not require authentication, allowing websites to connect via loopback and access sensitive data. Attacker...

PT-2026-20952

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14 Description The Gateway tool in OpenClaw accepted a tool-supplied gatewayUrl without sufficient restrictions, potentially causing the OpenClaw host to attempt outbound WebSocket connections to user-specifie...

PT-2026-20959

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14 Description The SSRF protection in OpenClaw could be bypassed using full-form IPv4-mapped IPv6 literals, such as 0:0:0:0:0:ffff:7f00:1 which is 127.0.0.1. This bypass allows requests that should be blocked,...

PT-2026-23566

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.12 Description The BlueBubbles webhook handler in OpenClaw authenticates requests based solely on loopback remoteAddress without validating forwarding headers. This allows bypass of configured webhook password...

PT-2026-20350

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.13 @openclaw/bluebubbles versions prior to 2026.2.13 Description The optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based solely on the TCP peer address being...