Submit #809371: OpenClaw (formally ClawdBot) openclaw 2026.1.24 Authentication Bypass Issuesinfo

TitleOpenClaw (formally ClawdBot) openclaw 2026.1.24 Authentication Bypass Issues
DescriptionA critical authentication bypass exists in the BlueBubbles extension webhook due to a type-juggling vulnerability. The application compares the inbound Authorization header against an uninitialized configuration variable. By providing the literal string "undefined" as a Bearer token, a remote attacker can bypass authentication. This allows for unauthorized event injection, leading to Server-Side Request Forgery (SSRF) and the exfiltration of administrative credentials in cleartext.
Source⚠️ https://github.com/Dave-gilmore-aus/security-advisories/blob/main/ClawdBot(aka%20OpenClaw)-Auth-Bypass-SSRF
User
 davidgilmore (UID 96940)
Submission04/22/2026 00:56 (3 months ago)
Moderation05/11/2026 13:37 (20 days later)
StatusAccepted
VulDB entry362590 [OpenClaw up to 2026.1.24 bluebubbles Webhook monitor.ts handleBlueBubblesWebhookRequest improper authentication]
Points20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!