CVE-2026-32896
4.8 MEDIUMThe BlueBubbles webhook handler in OpenClaw versions prior to 2026.2.21 contains a passwordless fallback authentication path that allows ...
Published: 2026-03-21 · Last updated: 2026-05-26
Severity and scoring
- CVSS
- 4.8 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
- CWE
- CWE-306
Affected products
| Vendor | Product |
|---|---|
| openclaw | openclaw |
Description
The BlueBubbles webhook handler in OpenClaw versions prior to 2026.2.21 contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy heuristics to send unauthenticated webhook events to the BlueBubbles plugin.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-32896
- [Patch]https://github.com/openclaw/openclaw/commit/283029bdea23164ab7482b320cb420d1b90df806
- [Patch]https://github.com/openclaw/openclaw/commit/6b2f2811dc623e5faaf2f76afaa9279637174590
- [Vendor advisory]https://github.com/openclaw/openclaw/security/advisories/GHSA-5mx2-2mgw-x8rm
- [Other]https://www.vulncheck.com/advisories/openclaw-unauthenticated-webhook-access-via-passwordless-fallback-in-bluebubbles-plugin
Related CVEs
Same vendor
- CVE-2026-53839 — OpenClaw before 2026.5.7 contains a hostname validation vulnerability in retry endpoint checks that allows matching hostname prefixes ins... (6.5 MEDIUM)
- CVE-2026-53838 — OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approv... (9.8 CRITICAL)
- CVE-2026-53837 — OpenClaw before 2026.5.6 contains an improper access control vulnerability in Mattermost event handlers that fails to validate channel ty... (3.7 LOW)
- CVE-2026-53836 — OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in PowerShell encoded-command handling that allows attackers to exec... (8.8 HIGH)
- CVE-2026-53835 — OpenClaw before 2026.5.6 contains a configuration enforcement bypass vulnerability in Feishu dynamic-agent bindings that allows authentic... (4.3 MEDIUM)
Same CWE
- CVE-2026-0647 — An improper authentication security issue exists within the 1794-AENTR adapter's embedded web server
- CVE-2018-25437 — WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download... (7.5 HIGH)
- CVE-2026-12183 — Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerabili... (9.8 CRITICAL)
- CVE-2026-53868 — Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses ... (7.5 HIGH)
- CVE-2026-50287 — AgenticMail gives AI agents real email addresses and phone numbers