PT-2026-26745 · WordPress+1 · Bluebubbles+1
Peng Zhou
·
Published
2026-03-03
·
Updated
2026-03-21
·
CVE-2026-32896
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.2.21
Description
The BlueBubbles webhook handler in OpenClaw contains a passwordless fallback authentication path. This allows unauthenticated webhook events to occur in specific reverse-proxy or local routing setups. Attackers can bypass webhook authentication by exploiting loopback/proxy heuristics to send unauthenticated webhook events to the BlueBubbles plugin.
Recommendations
Update OpenClaw to version 2026.2.21 or later.
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bluebubbles
Openclaw