OpenClaw BlueBubbles Plugin Webhook Authentication Bypass Vulnerability

A vulnerability exists in OpenClaw versions prior to 2026.2.21 within the BlueBubbles webhook handler. This vulnerability allows unauthenticated webhook events to be sent under certain reverse-proxy or local routing configurations. The issue arises from a passwordless fallback authentication path, which can be exploited by sending unauthenticated webhook events to the BlueBubbles plugin, bypassing the intended authentication requirements.

Impact

Exploitation of this vulnerability allows for unauthenticated webhook events to be processed by the BlueBubbles plugin, potentially leading to unauthorized actions or data manipulation within the application.

Reproduction

To reproduce this vulnerability, deploy OpenClaw with the BlueBubbles plugin enabled, and ensure that the webhook password authentication is not configured. Then, send a webhook event through a reverse proxy or local routing that exploits the lack of authentication, such as by using 'x-forwarded-for' headers to simulate a proxied request.

Remediation

Users should upgrade to OpenClaw version 2026.2.21 or later, and ensure that the BlueBubbles webhook delivery includes a matching password. Instructions for updating can be found in the OpenClaw documentation.