Platform
nodejs
Component
openclaw
Fixed in
2026.2.12
CVE-2026-29613 describes an Authentication Bypass vulnerability affecting OpenClaw versions 0 through 2026.2.12. This flaw resides within the BlueBubbles plugin's webhook handler, allowing attackers to bypass authentication mechanisms. Successful exploitation could lead to unauthorized injection of BlueBubbles message and reaction events, potentially compromising the integrity of the system. A patch is available in version 2026.2.12.
The core of this vulnerability lies in the webhook handler's authentication process. Instead of properly validating forwarding headers when operating behind a reverse proxy, it relies solely on the loopback remote address. An attacker positioned behind the proxy can exploit this by crafting malicious requests that bypass the configured webhook passwords. This allows them to inject arbitrary BlueBubbles message and reaction events, effectively impersonating legitimate users or triggering unintended actions within the OpenClaw environment. The potential impact ranges from minor disruptions to significant data manipulation, depending on the permissions associated with the injected events.
This vulnerability was publicly disclosed on March 5, 2026. There is currently no indication of active exploitation campaigns targeting CVE-2026-29613. No public proof-of-concept (PoC) code has been released. The vulnerability has not been added to the CISA KEV catalog at the time of writing. The CVSS score of 5.9 (MEDIUM) suggests a moderate level of exploitability and potential impact.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-29613 is to upgrade OpenClaw to version 2026.2.12 or later, which includes the fix for this authentication bypass. If an immediate upgrade is not feasible, consider implementing a reverse proxy configuration that strictly validates forwarding headers (e.g., X-Forwarded-For, X-Forwarded-Proto) and only allows requests from trusted proxy IPs. Additionally, review and strengthen webhook password policies to ensure they are sufficiently complex and regularly rotated. After upgrade, confirm proper authentication by attempting to trigger a webhook event from a non-proxied network.
Update OpenClaw to version 2026.2.12 or later. This version fixes the webhook authentication bypass vulnerability by correctly validating forwarding headers when operating behind a reverse proxy.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-29613 is a vulnerability in OpenClaw versions 0–2026.2.12 where the BlueBubbles plugin's webhook handler doesn't properly validate forwarding headers, allowing attackers to bypass authentication.
You are affected if you are running OpenClaw versions 0 through 2026.2.12 and are using the BlueBubbles plugin, especially if your OpenClaw instance is behind a reverse proxy.
Upgrade OpenClaw to version 2026.2.12 or later. If immediate upgrade isn't possible, configure your reverse proxy to strictly validate forwarding headers.
There is currently no evidence of active exploitation campaigns targeting CVE-2026-29613.
Refer to the official OpenClaw security advisory for detailed information and updates regarding CVE-2026-29613.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.