CVE-2026-26316

OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback 127.0.0.1, ::1, ::ffff:127.0.0.1 even when the configured webhook secret was missing or...

GHSA-9M9C-VPV5-9G85 Feathers exposes internal headers via unencrypted session cookie

All HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth service stores the complete headers object in the session: javascript //...

CVE-2025-32355

Rocket TRUfusion Enterprise through 7.10.4.0 uses a reverse proxy to handle incoming connections. However, the proxy is misconfigured in a way that allows specifying absolute URLs in the HTTP request line, causing the proxy to load the given resource...

Incorrect Authorization

Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Incorrect Authorization via the webhook authentication. An attacker can gain unauthorized access and inject arbitrary webhook events by sending requests from a loopback...

GHSA-3M3Q-X3GJ-F79X OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations

Affected Packages / Versions This issue affects the optional voice-call plugin only. It is not enabled by default; it only applies to installations where the plugin is installed and enabled. - Package: @openclaw/voice-call - Vulnerable versions: = 2026.2.3 Legacy package name if you are still usi...

CVE-2025-32355

Rocket TRUfusion Enterprise through 7.10.4.0 uses a reverse proxy to handle incoming connections. However, the proxy is misconfigured in a way that allows specifying absolute URLs in the HTTP request line, causing the proxy to load the given resource...

GHSA-MP5H-M6QJ-6292 OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass

Summary In Telegram webhook mode, if channels.telegram.webhookSecret is not set, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by an attacker, this can allow forged Telegram updates for example...

OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust)

Summary The BlueBubbles webhook handler previously treated any request whose socket remoteAddress was loopback 127.0.0.1, ::1, ::ffff:127.0.0.1 as authenticated. When OpenClaw Gateway is behind a reverse proxy Tailscale Serve/Funnel, nginx, Cloudflare Tunnel, ngrok, the proxy typically connects t...

GHSA-XC7W-V5X6-CC87 OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust)

Summary The BlueBubbles webhook handler previously treated any request whose socket remoteAddress was loopback 127.0.0.1, ::1, ::ffff:127.0.0.1 as authenticated. When OpenClaw Gateway is behind a reverse proxy Tailscale Serve/Funnel, nginx, Cloudflare Tunnel, ngrok, the proxy typically connects t...

PT-2026-20237

Name of the Vulnerable Software and Affected Versions Rocket TRUfusion Enterprise versions through 7.10.4.0 Description The Rocket TRUfusion Enterprise reverse proxy is misconfigured, permitting the specification of absolute URLs within HTTP request lines. This configuration flaw allows the proxy...

CVE-2025-32355

CVE-2025-32355 affects Rocket TRUfusion Enterprise up to version 7.10.4.0, where the built-in reverse proxy can be misconfigured to accept absolute URLs in the HTTP request line. This enables server-side requests to load arbitrary resources via the proxy, constituting a server-side request forger...

CVE-2025-32355

Rocket TRUfusion Enterprise through 7.10.4.0 uses a reverse proxy to handle incoming connections. However, the proxy is misconfigured in a way that allows specifying absolute URLs in the HTTP request line, causing the proxy to load the given resource...

PT-2026-23566

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.12 Description The BlueBubbles webhook handler in OpenClaw authenticates requests based solely on loopback remoteAddress without validating forwarding headers. This allows bypass of configured webhook password...

CVE-2025-32355

Rocket TRUfusion Enterprise through 7.10.4.0 uses a reverse proxy to handle incoming connections. However, the proxy is misconfigured in a way that allows specifying absolute URLs in the HTTP request line, causing the proxy to load the given resource...

Rocket TRUfusion Enterprise 安全漏洞

Rocket TRUfusion Enterprise is a product lifecycle management platform developed by the American company Rocket. Versions of Rocket TRUfusion Enterprise 7.10.4.0 and earlier contain security vulnerabilities. These vulnerabilities stem from improper reverse proxy configuration, which allows absolu...

PT-2026-23540

Name of the Vulnerable Software and Affected Versions OpenClaw voice-call plugin versions prior to 2026.2.3 @clawdbot/voice-call versions through 2026.1.24 Description The voice-call plugin contains a flaw in webhook verification that allows remote attackers to bypass authentication by providing...

CVE-2025-32355

Rocket TRUfusion Enterprise through 7.10.4.0 uses a reverse proxy to handle incoming connections. However, the proxy is misconfigured in a way that allows specifying absolute URLs in the HTTP request line, causing the proxy to load the given resource...

[SECURITY] Fedora 42 Update: nginx-1.28.2-1.fc42

Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage...

[SECURITY] Fedora 43 Update: nginx-1.28.2-1.fc43

Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage...

CVE-2026-25949

A flaw was found in Traefik, an HTTP reverse proxy and load balancer. An unauthenticated client can exploit this vulnerability by sending a specific 8-byte Postgres SSLRequest STARTTLS prelude and then intentionally delaying further communication. This action bypasses Traefik's configured read...