プラットフォーム
nodejs
コンポーネント
openclaw
修正版
2026.2.12
CVE-2026-29613 describes an Authentication Bypass vulnerability affecting OpenClaw versions 0 through 2026.2.12. This flaw resides within the BlueBubbles plugin's webhook handler, allowing attackers to bypass authentication mechanisms. Successful exploitation could lead to unauthorized injection of BlueBubbles message and reaction events, potentially compromising the integrity of the system. A patch is available in version 2026.2.12.
The core of this vulnerability lies in the webhook handler's authentication process. Instead of properly validating forwarding headers when operating behind a reverse proxy, it relies solely on the loopback remote address. An attacker positioned behind the proxy can exploit this by crafting malicious requests that bypass the configured webhook passwords. This allows them to inject arbitrary BlueBubbles message and reaction events, effectively impersonating legitimate users or triggering unintended actions within the OpenClaw environment. The potential impact ranges from minor disruptions to significant data manipulation, depending on the permissions associated with the injected events.
This vulnerability was publicly disclosed on March 5, 2026. There is currently no indication of active exploitation campaigns targeting CVE-2026-29613. No public proof-of-concept (PoC) code has been released. The vulnerability has not been added to the CISA KEV catalog at the time of writing. The CVSS score of 5.9 (MEDIUM) suggests a moderate level of exploitability and potential impact.
Organizations deploying OpenClaw behind reverse proxies, particularly those utilizing the BlueBubbles plugin, are at risk. Shared hosting environments where OpenClaw instances share infrastructure with other tenants are also potentially vulnerable, as an attacker could leverage a compromised tenant to target the OpenClaw webhook endpoint.
• nodejs: Monitor OpenClaw logs for unusual webhook activity originating from unexpected IP addresses.
grep 'webhook' /var/log/openclaw/access.log | grep -v '127.0.0.1'• nodejs: Check for modifications to the BlueBubbles plugin code that might indicate an attempt to bypass authentication.
find /opt/openclaw/plugins/bluebubbles -type f -mtime -7• generic web: Examine reverse proxy logs for requests to the OpenClaw webhook endpoint with missing or manipulated forwarding headers. • generic web: Verify that the reverse proxy is configured to properly validate forwarding headers and only allow requests from trusted sources.
disclosure
エクスプロイト状況
EPSS
0.04% (12% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-29613 is to upgrade OpenClaw to version 2026.2.12 or later, which includes the fix for this authentication bypass. If an immediate upgrade is not feasible, consider implementing a reverse proxy configuration that strictly validates forwarding headers (e.g., X-Forwarded-For, X-Forwarded-Proto) and only allows requests from trusted proxy IPs. Additionally, review and strengthen webhook password policies to ensure they are sufficiently complex and regularly rotated. After upgrade, confirm proper authentication by attempting to trigger a webhook event from a non-proxied network.
OpenClaw を 2026.2.12 以降のバージョンにアップデートしてください。このバージョンでは、リバースプロキシの背後に動作する際に転送ヘッダーを正しく検証することで、webhook 認証バイパスの脆弱性を修正しています。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-29613 is a vulnerability in OpenClaw versions 0–2026.2.12 where the BlueBubbles plugin's webhook handler doesn't properly validate forwarding headers, allowing attackers to bypass authentication.
You are affected if you are running OpenClaw versions 0 through 2026.2.12 and are using the BlueBubbles plugin, especially if your OpenClaw instance is behind a reverse proxy.
Upgrade OpenClaw to version 2026.2.12 or later. If immediate upgrade isn't possible, configure your reverse proxy to strictly validate forwarding headers.
There is currently no evidence of active exploitation campaigns targeting CVE-2026-29613.
Refer to the official OpenClaw security advisory for detailed information and updates regarding CVE-2026-29613.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。