CVE-2026-26316
Published: 19 February 2026
Summary
CVE-2026-26316 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-9 (Service Identification and Authentication).
Deeper analysis
CVE-2026-26316 is an authorization vulnerability (CWE-863) in OpenClaw, a personal AI assistant, affecting versions prior to 2026.2.13. The issue resides in the optional BlueBubbles iMessage channel plugin, which accepts incoming webhook requests as authenticated solely based on the TCP peer address matching loopback interfaces (127.0.0.1, ::1, or ::ffff:127.0.0.1), even if the configured webhook secret is missing or incorrect. This flaw does not impact the default iMessage integration and requires the BlueBubbles plugin to be explicitly installed and enabled.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating exploitation over the network with low complexity, no privileges or user interaction required. Remote attackers can exploit it by sending crafted webhook requests to a loopback-bound OpenClaw Gateway instance that is exposed indirectly, such as through a public-facing reverse proxy lacking strong upstream authentication. Successful exploitation allows attackers to bypass authentication, enabling high-impact integrity violations, such as injecting unauthorized commands or data via the iMessage channel.
Mitigations are detailed in the OpenClaw GitHub security advisory (GHSA-pchc-86f6-8758) and associated commits. Administrators should upgrade to version 2026.2.13, which includes fixes via commits 743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a and f836c385ffc746cb954e8ee409f99d079bfdcd2f. Additional workarounds involve configuring a non-empty BlueBubbles webhook secret and avoiding deployments where public reverse proxies forward traffic to loopback-bound Gateways without robust authentication controls.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8432
Vulnerability details
OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback (`127.0.0.1`, `::1`, `::ffff:127.0.0.1`) even when the configured webhook secret was…
more
missing or incorrect. This does not affect the default iMessage integration unless BlueBubbles is installed and enabled. Version 2026.2.13 contains a patch. Other mitigations include setting a non-empty BlueBubbles webhook password and avoiding deployments where a public-facing reverse proxy forwards to a loopback-bound Gateway without strong upstream authentication.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in exposed webhook (public-facing app) directly enables T1190 exploitation; resulting unauthorized command/data injection via iMessage channel facilitates T1059 command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring identification, reporting, and correction of the specific flaw in the BlueBubbles plugin via patching to version 2026.2.13.
Enforces approved authorizations for webhook requests, preventing acceptance based solely on loopback IP without a valid secret.
Requires robust identification and authentication mechanisms for services like the BlueBubbles webhook endpoint, beyond IP-based checks.