GHSA-xc7w-v5x6-cc87: OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust)
The BlueBubbles webhook handler previously treated any request whose socket remoteAddress was loopback (127.0.0.1, ::1, ::ffff:127.0.0.1) as authenticated. When OpenClaw Gateway is behind a reverse proxy (Tailscale Serve/Funnel, nginx, Cloudflare Tunnel, ngrok), the proxy typically connects to the gateway over loopback, allowing unauthenticated remote requests to bypass the configured webhook password.
This could allow an attacker who can reach the proxy endpoint to inject arbitrary inbound BlueBubbles message/reaction events.
References
- github.com/advisories/GHSA-xc7w-v5x6-cc87
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a
- github.com/openclaw/openclaw/commit/f836c385ffc746cb954e8ee409f99d079bfdcd2f
- github.com/openclaw/openclaw/releases/tag/v2026.2.12
- github.com/openclaw/openclaw/security/advisories/GHSA-xc7w-v5x6-cc87
Code Behaviors & Features
Detect and mitigate GHSA-xc7w-v5x6-cc87 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →