Cyber Resilience

CVE-2026-26316

High

Published: 19 February 2026

Published
19 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0008 24.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26316 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-9 (Service Identification and Authentication).

Deeper analysis

CVE-2026-26316 is an authorization vulnerability (CWE-863) in OpenClaw, a personal AI assistant, affecting versions prior to 2026.2.13. The issue resides in the optional BlueBubbles iMessage channel plugin, which accepts incoming webhook requests as authenticated solely based on the TCP peer address matching loopback interfaces (127.0.0.1, ::1, or ::ffff:127.0.0.1), even if the configured webhook secret is missing or incorrect. This flaw does not impact the default iMessage integration and requires the BlueBubbles plugin to be explicitly installed and enabled.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating exploitation over the network with low complexity, no privileges or user interaction required. Remote attackers can exploit it by sending crafted webhook requests to a loopback-bound OpenClaw Gateway instance that is exposed indirectly, such as through a public-facing reverse proxy lacking strong upstream authentication. Successful exploitation allows attackers to bypass authentication, enabling high-impact integrity violations, such as injecting unauthorized commands or data via the iMessage channel.

Mitigations are detailed in the OpenClaw GitHub security advisory (GHSA-pchc-86f6-8758) and associated commits. Administrators should upgrade to version 2026.2.13, which includes fixes via commits 743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a and f836c385ffc746cb954e8ee409f99d079bfdcd2f. Additional workarounds involve configuring a non-empty BlueBubbles webhook secret and avoiding deployments where public reverse proxies forward traffic to loopback-bound Gateways without robust authentication controls.

EU & UK References

Vulnerability details

OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback (`127.0.0.1`, `::1`, `::ffff:127.0.0.1`) even when the configured webhook secret was…

more

missing or incorrect. This does not affect the default iMessage integration unless BlueBubbles is installed and enabled. Version 2026.2.13 contains a patch. Other mitigations include setting a non-empty BlueBubbles webhook password and avoiding deployments where a public-facing reverse proxy forwards to a loopback-bound Gateway without strong upstream authentication.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Auth bypass in exposed webhook (public-facing app) directly enables T1190 exploitation; resulting unauthorized command/data injection via iMessage channel facilitates T1059 command execution.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-41303Same product: Openclaw Openclaw
CVE-2026-28473Same product: Openclaw Openclaw
CVE-2026-32924Same product: Openclaw Openclaw
CVE-2026-31998Same product: Openclaw Openclaw
CVE-2026-32005Same product: Openclaw Openclaw
CVE-2026-28392Same product: Openclaw Openclaw
CVE-2026-28474Same product: Openclaw Openclaw
CVE-2026-32914Same product: Openclaw Openclaw
CVE-2026-34512Same product: Openclaw Openclaw
CVE-2026-32067Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.2.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring identification, reporting, and correction of the specific flaw in the BlueBubbles plugin via patching to version 2026.2.13.

prevent

Enforces approved authorizations for webhook requests, preventing acceptance based solely on loopback IP without a valid secret.

prevent

Requires robust identification and authentication mechanisms for services like the BlueBubbles webhook endpoint, beyond IP-based checks.

References