平台
nodejs
组件
openclaw
修复版本
2026.2.12
CVE-2026-29613 describes an Authentication Bypass vulnerability affecting OpenClaw versions 0 through 2026.2.12. This flaw resides within the BlueBubbles plugin's webhook handler, allowing attackers to bypass authentication mechanisms. Successful exploitation could lead to unauthorized injection of BlueBubbles message and reaction events, potentially compromising the integrity of the system. A patch is available in version 2026.2.12.
The core of this vulnerability lies in the webhook handler's authentication process. Instead of properly validating forwarding headers when operating behind a reverse proxy, it relies solely on the loopback remote address. An attacker positioned behind the proxy can exploit this by crafting malicious requests that bypass the configured webhook passwords. This allows them to inject arbitrary BlueBubbles message and reaction events, effectively impersonating legitimate users or triggering unintended actions within the OpenClaw environment. The potential impact ranges from minor disruptions to significant data manipulation, depending on the permissions associated with the injected events.
This vulnerability was publicly disclosed on March 5, 2026. There is currently no indication of active exploitation campaigns targeting CVE-2026-29613. No public proof-of-concept (PoC) code has been released. The vulnerability has not been added to the CISA KEV catalog at the time of writing. The CVSS score of 5.9 (MEDIUM) suggests a moderate level of exploitability and potential impact.
Organizations deploying OpenClaw behind reverse proxies, particularly those utilizing the BlueBubbles plugin, are at risk. Shared hosting environments where OpenClaw instances share infrastructure with other tenants are also potentially vulnerable, as an attacker could leverage a compromised tenant to target the OpenClaw webhook endpoint.
• nodejs: Monitor OpenClaw logs for unusual webhook activity originating from unexpected IP addresses.
grep 'webhook' /var/log/openclaw/access.log | grep -v '127.0.0.1'• nodejs: Check for modifications to the BlueBubbles plugin code that might indicate an attempt to bypass authentication.
find /opt/openclaw/plugins/bluebubbles -type f -mtime -7• generic web: Examine reverse proxy logs for requests to the OpenClaw webhook endpoint with missing or manipulated forwarding headers. • generic web: Verify that the reverse proxy is configured to properly validate forwarding headers and only allow requests from trusted sources.
disclosure
漏洞利用状态
EPSS
0.04% (12% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-29613 is to upgrade OpenClaw to version 2026.2.12 or later, which includes the fix for this authentication bypass. If an immediate upgrade is not feasible, consider implementing a reverse proxy configuration that strictly validates forwarding headers (e.g., X-Forwarded-For, X-Forwarded-Proto) and only allows requests from trusted proxy IPs. Additionally, review and strengthen webhook password policies to ensure they are sufficiently complex and regularly rotated. After upgrade, confirm proper authentication by attempting to trigger a webhook event from a non-proxied network.
将 OpenClaw 更新到 2026.2.12 或更高版本。此版本通过在反向代理之后正确验证转发标头来修复 webhook 身份验证绕过漏洞。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-29613 is a vulnerability in OpenClaw versions 0–2026.2.12 where the BlueBubbles plugin's webhook handler doesn't properly validate forwarding headers, allowing attackers to bypass authentication.
You are affected if you are running OpenClaw versions 0 through 2026.2.12 and are using the BlueBubbles plugin, especially if your OpenClaw instance is behind a reverse proxy.
Upgrade OpenClaw to version 2026.2.12 or later. If immediate upgrade isn't possible, configure your reverse proxy to strictly validate forwarding headers.
There is currently no evidence of active exploitation campaigns targeting CVE-2026-29613.
Refer to the official OpenClaw security advisory for detailed information and updates regarding CVE-2026-29613.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。