Homepage

@openclaw/bluebubbles@2026.2.2

OpenClaw BlueBubbles channel plugin

  • latest version

    2026.5.7

  • latest non vulnerable version

    2026.5.7

  • first published

    4 months ago

  • latest version published

    24 days ago

  • View bluebubbles package health on Snyk  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the @openclaw/bluebubbles package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Improper Authentication

    @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

    Affected versions of this package are vulnerable to Improper Authentication via the handleBlueBubblesWebhookRequest function. An attacker can gain unauthorized access and potentially compromise confidentiality, integrity, and availability by sending crafted requests to the webhook endpoint.

    How to fix Improper Authentication?

    Upgrade @openclaw/bluebubbles to version 2026.2.12 or higher.

    <2026.2.12
    • H
    Server-side Request Forgery (SSRF)

    @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the fetch process in multiple channel extensions when outbound requests are made to configured base URLs without proper validation. An attacker can access internal network resources or sensitive endpoints by supplying malicious URLs.

    How to fix Server-side Request Forgery (SSRF)?

    Upgrade @openclaw/bluebubbles to version 2026.5.2 or higher.

    <2026.5.2
    • M
    Weak Password Requirements

    @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

    Affected versions of this package are vulnerable to Weak Password Requirements via the authentication process. An attacker can bypass intended authentication mechanisms by sending a high volume of password guesses without restriction.

    How to fix Weak Password Requirements?

    Upgrade @openclaw/bluebubbles to version 2026.5.2 or higher.

    <2026.5.2
    • M
    Incorrect Authorization

    @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

    Affected versions of this package are vulnerable to Incorrect Authorization in the requireMention process. An attacker can trigger agent-visible system events in group chats that are intended to be mention-gated by sending specially crafted group reaction events.

    How to fix Incorrect Authorization?

    Upgrade @openclaw/bluebubbles to version 2026.5.2 or higher.

    <2026.5.2
    • M
    Incorrect Authorization

    @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

    Affected versions of this package are vulnerable to Incorrect Authorization in the isAllowedParsedChatSender process. An attacker can gain unauthorized access to direct messaging or reaction features by sending messages from an untrusted sender when the allowFrom configuration is empty or unset and the DM policy is set to pairing or allowlist.

    How to fix Incorrect Authorization?

    Upgrade @openclaw/bluebubbles to version 2026.2.22 or higher.

    <2026.2.22
    • L
    Incorrect Authorization

    @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

    Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another account's direct message pairing by leveraging approval from a different account in multi-account deployments.

    How to fix Incorrect Authorization?

    Upgrade @openclaw/bluebubbles to version 2026.3.1 or higher.

    <2026.3.1
    • M
    Missing Authentication for Critical Function

    @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

    Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the webhook process of the optional BlueBubbles plugin when password authentication is not configured for incoming webhook events. An attacker can trigger unauthorized webhook actions by sending crafted requests to the webhook endpoint in deployments where password authentication is omitted. This is only exploitable if the BlueBubbles plugin is enabled and webhook password authentication is not set.

    How to fix Missing Authentication for Critical Function?

    Upgrade @openclaw/bluebubbles to version 2026.2.21 or higher.

    <2026.2.21
    • H
    Incorrect Authorization

    @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

    Affected versions of this package are vulnerable to Incorrect Authorization via the webhook authentication. An attacker can gain unauthorized access and inject arbitrary webhook events by sending requests from a loopback address or exploiting a reverse proxy configuration.

    How to fix Incorrect Authorization?

    Upgrade @openclaw/bluebubbles to version 2026.2.12 or higher.

    <2026.2.12
    • C
    Authentication Bypass Using an Alternate Path or Channel

    @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

    Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can impersonate authorized users and execute privileged commands by sending forged HTTP POST requests with spoofed fields in the update payload.

    Note: This is only exploitable if the Telegram webhook is enabled and no webhook secret is configured.

    How to fix Authentication Bypass Using an Alternate Path or Channel?

    Upgrade @openclaw/bluebubbles to version 2026.2.13 or higher.

    <2026.2.13
    Go back to all versions of this package