CVE-2026-29613
OpenClaw < 2026.2.12 - Webhook Authentication Bypass via Loopback remoteAddress Trust
CVSS Score
5.9
EPSS Score
0.0%
EPSS Percentile
0th
OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of configured webhook passwords. When the gateway operates behind a reverse proxy, unauthenticated remote attackers can inject arbitrary BlueBubbles message and reaction events by reaching the proxy endpoint.
| CWE | CWE-306 |
| Vendor | openclaw |
| Product | openclaw |
| Published | Mar 5, 2026 |
| Last Updated | Mar 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for openclaw openclaw
Be the first to know when new medium vulnerabilities affecting openclaw openclaw are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Affected Versions
OpenClaw / OpenClaw
0 < 2026.2.12
References
github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-xc7w-v5x6-cc87 github.com: https://github.com/openclaw/openclaw/commit/f836c385ffc746cb954e8ee409f99d079bfdcd2f github.com: https://github.com/openclaw/openclaw/commit/743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a vulncheck.com: https://www.vulncheck.com/advisories/openclaw-webhook-authentication-bypass-via-loopback-remoteaddress-trust
Credits
๐ Petr Simecek (@simecek) Stanislav Fort, Aisle Research, www.aisle.com