Vulnerability Description
OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback (`127.0.0.1`, `::1`, `::ffff:127.0.0.1`) even when the configured webhook secret was missing or incorrect. This does not affect the default iMessage integration unless BlueBubbles is installed and enabled. Version 2026.2.13 contains a patch. Other mitigations include setting a non-empty BlueBubbles webhook password and avoiding deployments where a public-facing reverse proxy forwards to a loopback-bound Gateway without strong upstream authentication.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.2.13 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/743f4b28495cdeb0d5bf76f6ebf4af01f6a0Patch
- https://github.com/openclaw/openclaw/commit/f836c385ffc746cb954e8ee409f99d079bfdPatch
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.13ProductRelease Notes
- https://github.com/openclaw/openclaw/security/advisories/GHSA-pchc-86f6-8758PatchVendor Advisory
FAQ
What is CVE-2026-26316?
CVE-2026-26316 is a vulnerability with a CVSS score of 7.5 (HIGH). OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopba...
How severe is CVE-2026-26316?
CVE-2026-26316 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-26316?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.