Description

OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy heuristics to send unauthenticated webhook events to the BlueBubbles plugin.

INFO

Published Date :

2026-03-21T00:42:32.222Z

Last Modified :

2026-03-23T16:55:52.767Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32896 vulnerability.

Vendors Products
Openclaw
  • Openclaw
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32896.

URL Resource
https://github.com/openclaw/openclaw/commit/283029bdea23164ab7482b320cb420d1b90df806 cve-icon cve-icon
https://github.com/openclaw/openclaw/commit/6b2f2811dc623e5faaf2f76afaa9279637174590 cve-icon cve-icon
https://github.com/openclaw/openclaw/security/advisories/GHSA-5mx2-2mgw-x8rm cve-icon cve-icon
https://www.vulncheck.com/advisories/openclaw-unauthenticated-webhook-access-via-passwordless-fallback-in-bluebubbles-plugin cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact