OpenClaw BlueBubbles Webhook Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in OpenClaw versions up to 2026.1.24, specifically within the BlueBubbles webhook handler. The issue arises from the function handleBlueBubblesWebhookRequest in monitor.ts, where the authentication logic improperly trusts requests from loopback addresses. This flaw allows remote attackers to inject webhook events without a valid shared-secret, potentially leading to unauthorized actions within the application.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling unauthorized injection of webhook events. This could be exploited to execute sensitive commands through the BlueBubbles plugin, as the injected events are processed as if they were legitimate.

Reproduction

To reproduce this vulnerability, enable the BlueBubbles plugin and configure a password. Then, expose the OpenClaw gateway through a reverse proxy that forwards requests to the loopback address. Once this setup is in place, send a webhook request to the BlueBubbles webhook path without the required authentication headers. The request will be accepted, and the injected event will be processed, bypassing the authentication check.

Remediation

Users should upgrade to OpenClaw version 2026.2.12, where this vulnerability has been patched. The official patch can be found in the release notes for version 2026.2.12.