CVE-2026-29613 HIGH

CVE-2026-29613: OpenClaw < 2026.2.12 - Webhook Authentication Bypass via Loopback remoteAddress Trust

Vendor Openclaw
Product OpenClaw
Weakness CWE-306 · Missing auth
Published March 5, 2026
Last update March 9, 2026

CVSS base score

8.2/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of configured webhook passwords. When the gateway operates behind a reverse proxy, unauthenticated remote attackers can inject arbitrary BlueBubbles message and reaction events by reaching the proxy endpoint.

Key dates

02Disclosure timeline

March 5, 2026 CVE published
March 9, 2026 Record updated