CVE-2026-8305
Received Received - Intake
Improper Authentication in OpenClaw BlueBubbles Webhook

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: VulDB

Description
A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component bluebubbles Webhook. Performing a manipulation results in improper authentication. It is possible to initiate the attack remotely. The exploit is now public and may be used. Upgrading to version 2026.2.12 is sufficient to resolve this issue. The patch is named a6653be0265f1f02b9de46c06f52ea7c81a836e6. The affected component should be upgraded.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-8305
EUVD
EUVD-2026-29158
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
openclaw bluebubbles to 2026.1.24 (inc)
openclaw bluebubbles 2026.2.12
openclaw openclaw to 2026.2.12 (exc)
openclaw openclaw 2026.2.12
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8305 is a security vulnerability in the BlueBubbles webhook authentication system of OpenClaw. The flaw occurs because the webhook handler unconditionally trusted requests originating from loopback addresses (such as 127.0.0.1 or ::1) without verifying the shared-secret token. This allowed attackers to bypass authentication by sending requests through a loopback proxy, especially in setups where external traffic is forwarded to the loopback interface via a same-host reverse proxy. As a result, attackers could inject unauthorized webhook events without knowing the BlueBubbles password.

The vulnerability was caused by an authentication bypass due to trusting loopback-origin requests without proper verification. The issue was fixed by removing this loopback trust shortcut, ensuring that all requests, including those from loopback addresses, require valid authentication.

Impact Analysis

This vulnerability can have significant security impacts. Attackers can bypass authentication and inject malicious webhook events, potentially triggering unauthorized workflows or actions within the BlueBubbles system.

Exploitation can lead to credential theft through cleartext transmission of administrative passwords via Server-Side Request Forgery (SSRF), and may even enable remote command execution (RCE) through prompt injection.

Because the vulnerability allows unauthenticated access to sensitive endpoints, it can compromise the integrity of the system and expose it to further attacks.

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade the OpenClaw BlueBubbles component to version 2026.2.12 or later, which includes the security fix removing the unconditional trust of loopback-originated requests.

If upgrading immediately is not possible, ensure that the webhook authentication logic does not bypass authentication checks for requests originating from loopback addresses. This involves disabling any configuration or code that automatically trusts localhost requests without verifying the shared-secret token.

Additionally, review and update your test suites and configurations to enforce strict authentication for all webhook requests, including those from loopback IPs, to prevent unauthorized access.

Avoid deploying the BlueBubbles webhook behind a same-host reverse proxy that forwards external traffic to the loopback interface without proper authentication enforcement.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or unauthenticated requests to the BlueBubbles webhook endpoint, especially those originating from loopback addresses (e.g., 127.0.0.1, ::1). Since the flaw involves bypassing authentication via loopback proxy trust, checking logs for webhook requests that do not include valid authentication tokens but originate from loopback IPs can indicate exploitation attempts.

Suggested commands include inspecting network traffic or logs for suspicious webhook requests. For example, using tools like curl or netcat to test the webhook endpoint without authentication from localhost can help verify if the vulnerability exists.

  • curl -v -H "Authorization: Bearer invalidtoken" http://localhost:<webhook_port>/bluebubbles/webhook
  • grep 'bluebubbles' /var/log/<webhook_access_log> | grep '127.0.0.1' | grep -v 'Authorization: Bearer <valid_token>'

Additionally, reviewing test cases or webhook handler logs to ensure that requests from loopback addresses require proper authentication can help detect the vulnerability.

Compliance Impact

CVE-2026-8305 allows unauthenticated attackers to bypass authentication in the BlueBubbles webhook system, enabling injection of unauthorized webhook events and potential unauthorized access to sensitive data or workflows.

Such unauthorized access and data manipulation could lead to violations of data protection regulations like GDPR or HIPAA, which require strict access controls and protection of personal and sensitive information.

Because the vulnerability enables attackers to forge sender/chat context and trigger unauthorized workflows, it increases the risk of data integrity and confidentiality breaches, which are critical compliance requirements under these standards.

Organizations using affected versions of OpenClaw should upgrade to version 2026.2.12 to remediate the issue and maintain compliance with security best practices mandated by such regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8305. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart