CVE-2026-32896
OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)
Description
### Summary BlueBubbles webhook auth in the optional beta iMessage plugin allowed a passwordless fallback path. In some reverse-proxy/local routing setups, this could allow unauthenticated webhook events. ### Affected Component and Scope - Component: `extensions/bluebubbles` webhook handler - Scope: only deployments using the optional BlueBubbles plugin where webhook password auth was not configured for incoming webhook events ### Affected Packages / Versions - Package: `openclaw/openclaw` (npm) - Latest published npm version at triage time (2026-02-21): `2026.2.19-2` - Affected structured range: `<=2026.2.19-2` - Fixed on `main`; planned patched release: `2026.2.21` (`>=2026.2.21`) ### Details The vulnerable implementation had multiple auth branches, including a passwordless fallback with loopback/proxy heuristics. The fix now uses one authentication codepath: - inbound webhook token/guid must match `channels.bluebubbles.password` - webhook target matching is consolidated to shared plugin-sdk logic - BlueBubbles config validation now requires `password` when `serverUrl` is set ### Impact BlueBubbles is an optional beta iMessage plugin, and onboarding/channel-add flows already require a password. Practical exposure is mainly custom/manual configurations that omitted webhook password authentication. ### Remediation - Upgrade to a release that includes this patch (`>=2026.2.21`, planned). - Ensure BlueBubbles webhook delivery includes a matching password (`?password=<password>` or `x-password`). ### Fix Commit(s) - `6b2f2811dc623e5faaf2f76afaa9279637174590` - `283029bdea23164ab7482b320cb420d1b90df806` ### Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.21`) so once npm release is out, advisory publish can proceed without additional ticket edits. OpenClaw thanks @zpbrent for reporting.
How to fix CVE-2026-32896
To remediate CVE-2026-32896, upgrade the affected package to a fixed version below.
- —upgrade to 2026.2.21 or later
Is CVE-2026-32896 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.