PT-2026-25432 · Npm · Openclaw+1

Published

2026-03-03

·

Updated

2026-03-03

CVSS v3.1

4.8

Medium

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Summary

BlueBubbles webhook auth in the optional beta iMessage plugin allowed a passwordless fallback path. In some reverse-proxy/local routing setups, this could allow unauthenticated webhook events.

Affected Component and Scope

  • Component: extensions/bluebubbles webhook handler
  • Scope: only deployments using the optional BlueBubbles plugin where webhook password auth was not configured for incoming webhook events

Affected Packages / Versions

  • Package: openclaw/openclaw (npm)
  • Latest published npm version at triage time (2026-02-21): 2026.2.19-2
  • Affected structured range: <=2026.2.19-2
  • Fixed on main; planned patched release: 2026.2.21 (>=2026.2.21)

Details

The vulnerable implementation had multiple auth branches, including a passwordless fallback with loopback/proxy heuristics.
The fix now uses one authentication codepath:
  • inbound webhook token/guid must match channels.bluebubbles.password
  • webhook target matching is consolidated to shared plugin-sdk logic
  • BlueBubbles config validation now requires password when serverUrl is set

Impact

BlueBubbles is an optional beta iMessage plugin, and onboarding/channel-add flows already require a password. Practical exposure is mainly custom/manual configurations that omitted webhook password authentication.

Remediation

  • Upgrade to a release that includes this patch (>=2026.2.21, planned).
  • Ensure BlueBubbles webhook delivery includes a matching password (?password=<password> or x-password).

Fix Commit(s)

  • 6b2f2811dc623e5faaf2f76afaa9279637174590
  • 283029bdea23164ab7482b320cb420d1b90df806

Release Process Note

patched versions is pre-set to the planned next release (2026.2.21) so once npm release is out, advisory publish can proceed without additional ticket edits.
OpenClaw thanks @zpbrent for reporting.

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

GHSA-5MX2-2MGW-X8RM

Affected Products

Openclaw
Openclaw/Openclaw