@openclaw/bluebubbles 2026.2.12

Direct Vulnerabilities

Known vulnerabilities in the @openclaw/bluebubbles package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Server-side Request Forgery (SSRF) @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `fetch` process in multiple channel extensions when outbound requests are made to configured base URLs without proper validation. An attacker can access internal network resources or sensitive endpoints by supplying malicious URLs. How to fix Server-side Request Forgery (SSRF)? Upgrade `@openclaw/bluebubbles` to version 2026.5.2 or higher.	<2026.5.2
M Weak Password Requirements @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Weak Password Requirements via the authentication process. An attacker can bypass intended authentication mechanisms by sending a high volume of password guesses without restriction. How to fix Weak Password Requirements? Upgrade `@openclaw/bluebubbles` to version 2026.5.2 or higher.	<2026.5.2
M Incorrect Authorization @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the `requireMention` process. An attacker can trigger agent-visible system events in group chats that are intended to be mention-gated by sending specially crafted group reaction events. How to fix Incorrect Authorization? Upgrade `@openclaw/bluebubbles` to version 2026.5.2 or higher.	<2026.5.2
M Incorrect Authorization @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the `isAllowedParsedChatSender` process. An attacker can gain unauthorized access to direct messaging or reaction features by sending messages from an untrusted sender when the `allowFrom` configuration is empty or unset and the DM policy is set to pairing or allowlist. How to fix Incorrect Authorization? Upgrade `@openclaw/bluebubbles` to version 2026.2.22 or higher.	<2026.2.22
L Incorrect Authorization @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another account's direct message pairing by leveraging approval from a different account in multi-account deployments. How to fix Incorrect Authorization? Upgrade `@openclaw/bluebubbles` to version 2026.3.1 or higher.	<2026.3.1
M Missing Authentication for Critical Function @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the `webhook` process of the optional BlueBubbles plugin when password authentication is not configured for incoming webhook events. An attacker can trigger unauthorized webhook actions by sending crafted requests to the webhook endpoint in deployments where password authentication is omitted. This is only exploitable if the BlueBubbles plugin is enabled and webhook password authentication is not set. How to fix Missing Authentication for Critical Function? Upgrade `@openclaw/bluebubbles` to version 2026.2.21 or higher.	<2026.2.21
C Authentication Bypass Using an Alternate Path or Channel @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can impersonate authorized users and execute privileged commands by sending forged HTTP POST requests with spoofed fields in the update payload. Note: This is only exploitable if the Telegram webhook is enabled and no webhook secret is configured. How to fix Authentication Bypass Using an Alternate Path or Channel? Upgrade `@openclaw/bluebubbles` to version 2026.2.13 or higher.	<2026.2.13

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

@openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the fetch process in multiple channel extensions when outbound requests are made to configured base URLs without proper validation. An attacker can access internal network resources or sensitive endpoints by supplying malicious URLs.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @openclaw/bluebubbles to version 2026.5.2 or higher.

<2026.5.2

Weak Password Requirements

@openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

Affected versions of this package are vulnerable to Weak Password Requirements via the authentication process. An attacker can bypass intended authentication mechanisms by sending a high volume of password guesses without restriction.

How to fix Weak Password Requirements?

Upgrade @openclaw/bluebubbles to version 2026.5.2 or higher.

<2026.5.2

Incorrect Authorization

@openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

Affected versions of this package are vulnerable to Incorrect Authorization in the requireMention process. An attacker can trigger agent-visible system events in group chats that are intended to be mention-gated by sending specially crafted group reaction events.

How to fix Incorrect Authorization?

Upgrade @openclaw/bluebubbles to version 2026.5.2 or higher.

<2026.5.2

Incorrect Authorization

@openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

Affected versions of this package are vulnerable to Incorrect Authorization in the isAllowedParsedChatSender process. An attacker can gain unauthorized access to direct messaging or reaction features by sending messages from an untrusted sender when the allowFrom configuration is empty or unset and the DM policy is set to pairing or allowlist.

How to fix Incorrect Authorization?

Upgrade @openclaw/bluebubbles to version 2026.2.22 or higher.

<2026.2.22

Incorrect Authorization

@openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another account's direct message pairing by leveraging approval from a different account in multi-account deployments.

How to fix Incorrect Authorization?

Upgrade @openclaw/bluebubbles to version 2026.3.1 or higher.

<2026.3.1

Missing Authentication for Critical Function

@openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the webhook process of the optional BlueBubbles plugin when password authentication is not configured for incoming webhook events. An attacker can trigger unauthorized webhook actions by sending crafted requests to the webhook endpoint in deployments where password authentication is omitted. This is only exploitable if the BlueBubbles plugin is enabled and webhook password authentication is not set.

How to fix Missing Authentication for Critical Function?

Upgrade @openclaw/bluebubbles to version 2026.2.21 or higher.

<2026.2.21

Authentication Bypass Using an Alternate Path or Channel

@openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can impersonate authorized users and execute privileged commands by sending forged HTTP POST requests with spoofed fields in the update payload.

Note: This is only exploitable if the Telegram webhook is enabled and no webhook secret is configured.

How to fix Authentication Bypass Using an Alternate Path or Channel?

Upgrade @openclaw/bluebubbles to version 2026.2.13 or higher.

<2026.2.13

@openclaw/bluebubbles@2026.2.12

OpenClaw BlueBubbles channel plugin

latest version

latest non vulnerable version

first published

latest version published

Direct Vulnerabilities

Fix vulnerabilities automatically