Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network vector applies as BlueBubbles is a messaging integration; AC:H and PR:L reflect participant-level prerequisite and non-trivial metadata manipulation; no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 4 npm packages depend on openclaw (4 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.5.7.
DescriptionCVE.org
OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries through conversation metadata rather than stable sender identity. Attackers can influence conversation-level identifiers to receive agent responses intended for configured senders, potentially bypassing access controls.
AnalysisAI
Sender policy bypass in OpenClaw's BlueBubbles integration before version 2026.5.7 allows low-privileged conversation participants to impersonate allowlisted senders by manipulating conversation-level metadata rather than being validated against stable sender identity. An attacker who is already a participant in a conversation can craft or influence mutable conversation identifiers to match configured allowlist entries, causing the agent to respond to them as if they were an authorized sender and circumventing access controls. No public exploit code or active exploitation has been identified at time of analysis; the low CVSS score (2.3) and high attack complexity reflect real-world constraints.
Technical ContextAI
CWE-807 (Reliance on Untrusted Inputs in a Security Decision) describes the root cause precisely: OpenClaw's sender policy enforcement within the BlueBubbles channel resolves allowlist membership by consulting conversation-level metadata - identifiers that are mutable or attacker-influenceable - rather than a cryptographically stable or server-verified sender identity. The affected component is the BlueBubbles messaging integration within OpenClaw (CPE: cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*), which is an open-source AI agent framework. The CVSS 4.0 attack target metric AT:P confirms that exploitation requires specific preconditions, and PR:L confirms that the attacker must already hold participant-level access to a conversation, not merely network reachability.
RemediationAI
Upgrade OpenClaw to version 2026.5.7 or later, which is the vendor-confirmed fix per the GitHub security advisory GHSA-8j37-5w68-wj2g. If immediate upgrade is not possible, a compensating control is to restrict the BlueBubbles integration's allowlist to identifiers that cannot be influenced by conversation participants - for example, by switching allowlist matching to rely exclusively on stable, server-assigned sender identifiers rather than mutable conversation metadata. Organizations should also audit which agent capabilities and responses are gated solely by the sender allowlist and consider adding secondary authorization checks for high-impact agent actions as a defense-in-depth measure. The trade-off of restricting or disabling BlueBubbles until patching is completed is a temporary loss of that messaging channel but eliminates the bypass surface entirely.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37162
GHSA-8hj2-w4c9-fjfq