Description

OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback (`127.0.0.1`, `::1`, `::ffff:127.0.0.1`) even when the configured webhook secret was missing or incorrect. This does not affect the default iMessage integration unless BlueBubbles is installed and enabled. Version 2026.2.13 contains a patch. Other mitigations include setting a non-empty BlueBubbles webhook password and avoiding deployments where a public-facing reverse proxy forwards to a loopback-bound Gateway without strong upstream authentication.

INFO

Published Date :

2026-02-19T21:28:33.454Z

Last Modified :

2026-02-20T15:41:50.888Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-26316 vulnerability.

Vendors Products
Openclaw
  • @openclaw/bluebubbles
  • Openclaw
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-26316.

URL Resource
https://github.com/openclaw/openclaw/commit/743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a cve-icon cve-icon
https://github.com/openclaw/openclaw/commit/f836c385ffc746cb954e8ee409f99d079bfdcd2f cve-icon cve-icon
https://github.com/openclaw/openclaw/releases/tag/v2026.2.13 cve-icon cve-icon
https://github.com/openclaw/openclaw/security/advisories/GHSA-pchc-86f6-8758 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact