OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of configured webhook passwords. When the gateway operates behind a reverse proxy, unauthenticated remote attackers can inject arbitrary BlueBubbles message and reaction events by reaching the proxy endpoint.
Attack Parameters
Attack Vector
Network
Атака возможна удалённо
Attack Complexity
High
Сложно эксплуатировать
Attack Requirements
Present
Нужны дополнительные условия
Privileges Required
None
Права не нужны
User Interaction
None
Не нужно действие пользователя
Impact Assessment
Confidentiality
None
Нет утечки данных
Integrity
High
Полная модификация данных
Availability
None
Нет нарушения работы
CVSS Vector v4.0
Weakness Type (CWE)
References 4
https://github.com/openclaw/openclaw/commit/743f4b28495cdeb0d5bf76f6ebf4af01f6a…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/commit/f836c385ffc746cb954e8ee409f99d079bf…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-xc7w-v5x6-cc87
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-webhook-authentication-bypass-via…
disclosure@vulncheck.com