平台
nodejs
组件
openclaw
修复版本
2026.2.21
2026.2.21
CVE-2026-32896 describes a security vulnerability in the BlueBubbles webhook handler within the OpenClaw iMessage plugin. This flaw allows unauthenticated webhook events to be triggered in certain reverse-proxy or local routing configurations, effectively bypassing password-based authentication. The vulnerability impacts OpenClaw versions prior to 2026.2.21, and a fix is available in version 2026.2.21.
The primary impact of CVE-2026-32896 is the potential for unauthorized access to data or functionality exposed through the OpenClaw webhook system. An attacker who can manipulate network routing or proxy configurations could craft malicious webhook events and trigger unintended actions within the OpenClaw environment. This could lead to data breaches, system compromise, or denial of service. The risk is amplified in environments where sensitive information is processed via webhooks, or where the webhook system is integrated with other critical services. While the vulnerability requires specific network configurations, the potential for exploitation warrants immediate attention.
CVE-2026-32896 was publicly disclosed on 2026-03-03. There is no indication of active exploitation at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not widely available, but the vulnerability's nature suggests that it could be exploited relatively easily by attackers with network configuration expertise.
Organizations utilizing OpenClaw with the optional BlueBubbles plugin and deploying it behind reverse proxies or in local routing environments are at increased risk. Specifically, those who have not configured password authentication for incoming webhook events are directly vulnerable. Shared hosting environments where OpenClaw is deployed alongside other applications may also be affected if network configurations are not properly isolated.
• nodejs / server:
npm list openclaw• nodejs / server:
grep -r 'extensions/bluebubbles' /path/to/openclaw/node_modules• nodejs / server:
ps aux | grep -i bluebubblesTriage
Public Disclosure
Patch Release
漏洞利用状态
EPSS
0.08% (23% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-32896 is to upgrade OpenClaw to version 2026.2.21 or later, which includes the fix for this authentication bypass. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the webhook endpoint to trusted networks or implementing stricter firewall rules. Additionally, ensure that webhook password authentication is always enabled for incoming webhook events. After upgrading, verify the fix by attempting to trigger a webhook event from an unauthorized network and confirming that authentication is enforced.
将 OpenClaw 更新到 2026.2.21 或更高版本。此版本通过实施适当的认证来修复 webhook 未经身份验证访问的漏洞。更新将防止攻击者利用反向代理或本地路由配置向 BlueBubbles 插件发送未经身份验证的 webhook 事件。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-32896 is a medium severity vulnerability affecting OpenClaw versions before 2026.2.21. It allows unauthenticated webhook events in specific network configurations, bypassing password authentication.
You are affected if you use OpenClaw with the BlueBubbles plugin and are running a version prior to 2026.2.21, particularly if deployed behind a reverse proxy or with local routing and webhook password authentication is disabled.
Upgrade OpenClaw to version 2026.2.21 or later. As a temporary workaround, restrict access to the webhook endpoint or enable webhook password authentication.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests it could be exploited by attackers with network configuration expertise.
Refer to the OpenClaw project's official advisory channels and release notes for details regarding CVE-2026-32896 and the corresponding fix.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。