漏洞关键信息 漏洞概述 CVE ID: CVE-2026-26316 Severity: High (7.5 / 10) 受影响的包和版本 Package: @openclaw/bluebubbles (npm) - Affected versions: = 2026.2.13 Package: openclaw (npm) - Affected versions: = 2026.2.13 漏洞描述 Summary: In affected versions, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback (127.0.0.1, ::1, ::ffff:127.0.0.1) even when the configured webhook secret was missing or incorrect. This does not affect the default iMessage integration unless BlueBubbles is installed and enabled. Details: If a deployment exposes the BlueBubbles webhook endpoint through a same-host reverse proxy (or an attacker can reach loopback via SSRF), an unauthorized party may be able to inject inbound webhook events into the agent pipeline. ####缓解措施 Set a non-empty BlueBubbles webhook password. Avoid deployments where a public-facing reverse proxy forwards to a loopback-bound Gateway without strong upstream authentication. 修复提交 (defense-in-depth) 发布过程说明 This is fixed in npm release 2026.2.13. Once downstream consumers are updated to >= 2026.2.13, the advisory can be published. 致谢 Thanks @MegaManSec of AISLE Research Team for reporting.