Missing Authentication for Critical Function in OpenClaw - CVE-2026-32896
Published: May 1, 2026
Vulnerability identifier: #VU128835
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-32896
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to send unauthenticated webhook events.
The vulnerability exists due to missing authentication in extensions/bluebubbles webhook handler when handling incoming webhook events in deployments where webhook password authentication is not configured. A remote attacker can send a crafted webhook request to send unauthenticated webhook events.
Only deployments using the optional BlueBubbles plugin with custom or manual configurations that omitted webhook password authentication are vulnerable.
How to mitigate CVE-2026-32896
Install security update from vendor's website.