Improper Authentication in OpenClaw - CVE-2026-26316
Published: May 4, 2026
Vulnerability identifier: #VU129493
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-26316
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to inject inbound webhook events into the agent pipeline.
The vulnerability exists due to improper authentication in the BlueBubbles webhook endpoint when handling webhook requests forwarded from loopback addresses. A remote attacker can send a specially crafted webhook request through a same-host reverse proxy or SSRF path to inject inbound webhook events into the agent pipeline.
This affects only deployments where the optional BlueBubbles iMessage channel plugin is installed and enabled.
How to mitigate CVE-2026-26316
Install security update from vendor's website.