@openclaw/bluebubbles 2026.2.21

Direct Vulnerabilities

Known vulnerabilities in the @openclaw/bluebubbles package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Server-side Request Forgery (SSRF) @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `fetch` process in multiple channel extensions when outbound requests are made to configured base URLs without proper validation. An attacker can access internal network resources or sensitive endpoints by supplying malicious URLs. How to fix Server-side Request Forgery (SSRF)? Upgrade `@openclaw/bluebubbles` to version 2026.5.2 or higher.	<2026.5.2
M Weak Password Requirements @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Weak Password Requirements via the authentication process. An attacker can bypass intended authentication mechanisms by sending a high volume of password guesses without restriction. How to fix Weak Password Requirements? Upgrade `@openclaw/bluebubbles` to version 2026.5.2 or higher.	<2026.5.2
M Incorrect Authorization @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the `requireMention` process. An attacker can trigger agent-visible system events in group chats that are intended to be mention-gated by sending specially crafted group reaction events. How to fix Incorrect Authorization? Upgrade `@openclaw/bluebubbles` to version 2026.5.2 or higher.	<2026.5.2
M Incorrect Authorization @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the `isAllowedParsedChatSender` process. An attacker can gain unauthorized access to direct messaging or reaction features by sending messages from an untrusted sender when the `allowFrom` configuration is empty or unset and the DM policy is set to pairing or allowlist. How to fix Incorrect Authorization? Upgrade `@openclaw/bluebubbles` to version 2026.2.22 or higher.	<2026.2.22
L Incorrect Authorization @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another account's direct message pairing by leveraging approval from a different account in multi-account deployments. How to fix Incorrect Authorization? Upgrade `@openclaw/bluebubbles` to version 2026.3.1 or higher.	<2026.3.1

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

@openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the fetch process in multiple channel extensions when outbound requests are made to configured base URLs without proper validation. An attacker can access internal network resources or sensitive endpoints by supplying malicious URLs.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @openclaw/bluebubbles to version 2026.5.2 or higher.

<2026.5.2

Weak Password Requirements

@openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

Affected versions of this package are vulnerable to Weak Password Requirements via the authentication process. An attacker can bypass intended authentication mechanisms by sending a high volume of password guesses without restriction.

How to fix Weak Password Requirements?

Upgrade @openclaw/bluebubbles to version 2026.5.2 or higher.

<2026.5.2

Incorrect Authorization

@openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

Affected versions of this package are vulnerable to Incorrect Authorization in the requireMention process. An attacker can trigger agent-visible system events in group chats that are intended to be mention-gated by sending specially crafted group reaction events.

How to fix Incorrect Authorization?

Upgrade @openclaw/bluebubbles to version 2026.5.2 or higher.

<2026.5.2

Incorrect Authorization

@openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

Affected versions of this package are vulnerable to Incorrect Authorization in the isAllowedParsedChatSender process. An attacker can gain unauthorized access to direct messaging or reaction features by sending messages from an untrusted sender when the allowFrom configuration is empty or unset and the DM policy is set to pairing or allowlist.

How to fix Incorrect Authorization?

Upgrade @openclaw/bluebubbles to version 2026.2.22 or higher.

<2026.2.22

Incorrect Authorization

@openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin

Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another account's direct message pairing by leveraging approval from a different account in multi-account deployments.

How to fix Incorrect Authorization?

Upgrade @openclaw/bluebubbles to version 2026.3.1 or higher.

<2026.3.1

@openclaw/bluebubbles@2026.2.21

OpenClaw BlueBubbles channel plugin

latest version

latest non vulnerable version

first published

latest version published

Direct Vulnerabilities

Fix vulnerabilities automatically