EUVD-2026-13972
GHSA-vh4c-j2xv-9pv9
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
5Description
OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy heuristics to send unauthenticated webhook events to the BlueBubbles plugin.
Analysis
OpenClaw versions prior to 2026.2.21 contain a passwordless fallback authentication bypass in the BlueBubbles webhook handler that allows attackers to send unauthenticated webhook events by exploiting loopback or reverse-proxy heuristics. The vulnerability affects the BlueBubbles plugin component and has a CVSS score of 4.8 (medium severity) with low attack complexity, enabling both confidentiality and integrity impact without requiring authentication or user interaction. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Audit authentication configurations.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today