Vulnerability DatabaseCVE-2026-32896
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-32896
March 21, 2026
OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy heuristics to send unauthenticated webhook events to the BlueBubbles plugin.
Affected Packages
openclaw (NPM):
Affected version(s) >=0.0.1 <2026.2.21
Fix Suggestion:
Update to version 2026.2.21
Related ResourcesĀ (4)
https://github.com/openclaw/openclaw/commit/6b2f2811dc623e5faaf2f76afaa9279637174590
https://github.com/openclaw/openclaw/security/advisories/GHSA-5mx2-2mgw-x8rm
https://www.vulncheck.com/advisories/openclaw-unauthenticated-webhook-access-via-passwordless-fallback-in-bluebubbles-plugin
https://github.com/openclaw/openclaw/commit/283029bdea23164ab7482b320cb420d1b90df806
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
PRESENT
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.8
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Missing Authentication for Critical Function
CWE-306
EPSS
Base Score:
0.06