CVE-2026-8305
Improper Authentication in OpenClaw BlueBubbles Webhook
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | bluebubbles | to 2026.1.24 (inc) |
| openclaw | bluebubbles | 2026.2.12 |
| openclaw | openclaw | to 2026.2.12 (exc) |
| openclaw | openclaw | 2026.2.12 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or unauthenticated requests to the BlueBubbles webhook endpoint, especially those originating from loopback addresses (e.g., 127.0.0.1, ::1). Since the flaw involves bypassing authentication via loopback proxy trust, checking logs for webhook requests that do not include valid authentication tokens but originate from loopback IPs can indicate exploitation attempts.
Suggested commands include inspecting network traffic or logs for suspicious webhook requests. For example, using tools like curl or netcat to test the webhook endpoint without authentication from localhost can help verify if the vulnerability exists.
- curl -v -H "Authorization: Bearer invalidtoken" http://localhost:<webhook_port>/bluebubbles/webhook
- grep 'bluebubbles' /var/log/<webhook_access_log> | grep '127.0.0.1' | grep -v 'Authorization: Bearer <valid_token>'
Additionally, reviewing test cases or webhook handler logs to ensure that requests from loopback addresses require proper authentication can help detect the vulnerability.
Can you explain this vulnerability to me?
CVE-2026-8305 is a security vulnerability in the BlueBubbles webhook authentication system of OpenClaw. The flaw occurs because the webhook handler unconditionally trusted requests originating from loopback addresses (such as 127.0.0.1 or ::1) without verifying the shared-secret token. This allowed attackers to bypass authentication by sending requests through a loopback proxy, especially in setups where external traffic is forwarded to the loopback interface via a same-host reverse proxy. As a result, attackers could inject unauthorized webhook events without knowing the BlueBubbles password.
The vulnerability was caused by an authentication bypass due to trusting loopback-origin requests without proper verification. The issue was fixed by removing this loopback trust shortcut, ensuring that all requests, including those from loopback addresses, require valid authentication.
How can this vulnerability impact me? :
This vulnerability can have significant security impacts. Attackers can bypass authentication and inject malicious webhook events, potentially triggering unauthorized workflows or actions within the BlueBubbles system.
Exploitation can lead to credential theft through cleartext transmission of administrative passwords via Server-Side Request Forgery (SSRF), and may even enable remote command execution (RCE) through prompt injection.
Because the vulnerability allows unauthenticated access to sensitive endpoints, it can compromise the integrity of the system and expose it to further attacks.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade the OpenClaw BlueBubbles component to version 2026.2.12 or later, which includes the security fix removing the unconditional trust of loopback-originated requests.
If upgrading immediately is not possible, ensure that the webhook authentication logic does not bypass authentication checks for requests originating from loopback addresses. This involves disabling any configuration or code that automatically trusts localhost requests without verifying the shared-secret token.
Additionally, review and update your test suites and configurations to enforce strict authentication for all webhook requests, including those from loopback IPs, to prevent unauthorized access.
Avoid deploying the BlueBubbles webhook behind a same-host reverse proxy that forwards external traffic to the loopback interface without proper authentication enforcement.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-8305 allows unauthenticated attackers to bypass authentication in the BlueBubbles webhook system, enabling injection of unauthorized webhook events and potential unauthorized access to sensitive data or workflows.
Such unauthorized access and data manipulation could lead to violations of data protection regulations like GDPR or HIPAA, which require strict access controls and protection of personal and sensitive information.
Because the vulnerability enables attackers to forge sender/chat context and trigger unauthorized workflows, it increases the risk of data integrity and confidentiality breaches, which are critical compliance requirements under these standards.
Organizations using affected versions of OpenClaw should upgrade to version 2026.2.12 to remediate the issue and maintain compliance with security best practices mandated by such regulations.