OpenClaw Improper Authentication: CVE-2026-8305 Publicly Exploitable
A critical improper authentication vulnerability, tracked as CVE-2026-8305, has been identified in OpenClaw up to version 2026.1.24. The National Vulnerability Database confirms this flaw resides in the handleBlueBubblesWebhookRequest function within the bluebubbles Webhook component. This allows remote attackers to bypass authentication, presenting a significant risk.
The CVSS score of 7.3 (High severity) underscores the danger, particularly since the exploit for this vulnerability is now public. Attackers can leverage this to gain unauthorized access, potentially leading to information disclosure, data manipulation, or denial of service, as indicated by the CVSS vector’s impact on confidentiality, integrity, and availability.
Defenders must prioritize patching. The National Vulnerability Database states that upgrading to OpenClaw version 2026.2.12 or applying patch a6653be0265f1f02b9de46c06f52ea7c81a836e6 is sufficient to remediate this issue. Immediate action is required to close this critical attack vector.
What This Means For You
- If your organization uses OpenClaw with the `bluebubbles Webhook` component, you are exposed to a remotely exploitable improper authentication flaw (CVE-2026-8305). Patch to version 2026.2.12 immediately. Assume compromise if you haven't patched and audit logs for any suspicious activity related to webhook access.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-8305 - OpenClaw BlueBubbles Webhook Improper Authentication
title: CVE-2026-8305 - OpenClaw BlueBubbles Webhook Improper Authentication
id: scw-2026-05-11-ai-1
status: experimental
level: critical
description: |
This rule detects attempts to exploit CVE-2026-8305 by targeting the handleBlueBubblesWebhookRequest function in OpenClaw's bluebubbles Webhook component. The vulnerability allows for improper authentication, and this detection specifically looks for requests to the vulnerable file path, indicating a potential exploit attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-8305/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/extensions/bluebubbles/src/monitor.ts'
cs-method|exact:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-8305 | Auth Bypass | OpenClaw up to version 2026.1.24 |
| CVE-2026-8305 | Auth Bypass | OpenClaw component bluebubbles Webhook |
| CVE-2026-8305 | Auth Bypass | Vulnerable function: handleBlueBubblesWebhookRequest in extensions/bluebubbles/src/monitor.ts |
| CVE-2026-8305 | Auth Bypass | Upgrade OpenClaw to version 2026.2.12 or apply patch a6653be0265f1f02b9de46c06f52ea7c81a836e6 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 11, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8318 — VectifyAI PageIndex Vulnerability
CVE-2026-8318 — A security flaw has been discovered in VectifyAI PageIndex up to f50e52975313c6716c02b20a119577a1929decba. Affected by this vulnerability is the function toc_transformer of the file...
Crabbox Path Traversal (CVE-2026-45224) Enables Arbitrary File Deletion
CVE-2026-45224 — Crabbox before 0.9.0 contains a path traversal vulnerability in the Islo provider's workspace path resolution that allows attackers to supply absolute or relative...
CVE-2026-45223: Crabbox Authentication Bypass Allows Admin Privilege Escalation
CVE-2026-45223 — Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user-token verification path where the verifyUserToken() function fails to reject payloads containing...