CVE-2026-26316

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.13 @openclaw/bluebubbles versions prior to 2026.2.13

Description The optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based solely on the TCP peer address being loopback (127.0.0.1, ::1, ::ffff:127.0.0.1) even when the configured webhook secret was missing or incorrect. This does not affect the default iMessage integration unless BlueBubbles is installed and enabled. If a deployment exposes the BlueBubbles webhook endpoint through a same-host reverse proxy or an attacker can reach loopback via Server-Side Request Forgery (SSRF), an unauthenticated party may be able to inject inbound webhook events into the agent pipeline.

Recommendations Versions prior to 2026.2.13 should be updated to version 2026.2.13 or later. Set a non-empty BlueBubbles webhook password. Avoid deployments where a public-facing reverse proxy forwards to a loopback-bound Gateway without strong upstream authentication.