CVE-2026-26316: OpenClaw BlueBubbles webhook auth bypass via loopback proxy trust
(updated )
In affected versions, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback (127.0.0.1, ::1, ::ffff:127.0.0.1) even when the configured webhook secret was missing or incorrect. This does not affect the default iMessage integration unless BlueBubbles is installed and enabled.
References
- github.com/advisories/GHSA-pchc-86f6-8758
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a
- github.com/openclaw/openclaw/commit/f836c385ffc746cb954e8ee409f99d079bfdcd2f
- github.com/openclaw/openclaw/releases/tag/v2026.2.12
- github.com/openclaw/openclaw/releases/tag/v2026.2.13
- github.com/openclaw/openclaw/security/advisories/GHSA-pchc-86f6-8758
- nvd.nist.gov/vuln/detail/CVE-2026-26316
Code Behaviors & Features
Detect and mitigate CVE-2026-26316 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →