OpenClaw Webhook Authentication Bypass Vulnerability in BlueBubbles Plugin

A vulnerability exists in OpenClaw versions prior to 2026.2.12 within the BlueBubbles optional plugin. The issue arises in the webhook handler, which authenticates requests based solely on loopback remote addresses. It fails to validate forwarding headers, allowing bypass of configured webhook passwords. This vulnerability is particularly concerning when the OpenClaw gateway is behind a reverse proxy, as it can enable unauthenticated remote attackers to inject arbitrary BlueBubbles message and reaction events by accessing the proxy endpoint.

Impact

Exploitation of this vulnerability allows for unauthorized injection of BlueBubbles messages and reactions into the application.

Reproduction

To reproduce this vulnerability, deploy OpenClaw with the BlueBubbles plugin activated, behind a reverse proxy. Ensure that the webhook endpoint is exposed through the proxy without authentication. Once the setup is complete, send a request to the BlueBubbles webhook endpoint via the proxy. The request should be accepted without the configured password, demonstrating the authentication bypass.

Remediation

Users should update to OpenClaw version 2026.2.12 or later, and ensure that a BlueBubbles webhook password is configured. Avoid exposing the gateway webhook endpoint publicly without authentication.