CVE-2026-26316
HIGHOpenClaw < 2026.2.13 - Incorrect Authorization via BlueBubbles Webhook Loopback Bypass
Title source: llmDescription
OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback (`127.0.0.1`, `::1`, `::ffff:127.0.0.1`) even when the configured webhook secret was missing or incorrect. This does not affect the default iMessage integration unless BlueBubbles is installed and enabled. Version 2026.2.13 contains a patch. Other mitigations include setting a non-empty BlueBubbles webhook password and avoiding deployments where a public-facing reverse proxy forwards to a loopback-bound Gateway without strong upstream authentication.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/openclaw/openclaw/security/advisories/GHSA-pchc-86f6-8758
Patch x_refsource_misc
https://github.com/openclaw/openclaw/commit/743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a
Patch x_refsource_misc
https://github.com/openclaw/openclaw/commit/f836c385ffc746cb954e8ee409f99d079bfdcd2f
Release Notes x_refsource_misc
https://github.com/openclaw/openclaw/releases/tag/v2026.2.13
Scores
CVSS v3
7.5
EPSS
0.0032
EPSS Percentile
23.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (3)
npm/openclaw
0 - 2026.2.13npm
openclaw/bluebubbles
0 - 2026.2.13npm
openclaw/openclaw
< 2026.2.13
Published
Feb 19, 2026
Tracked Since
Feb 20, 2026