DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-XC7W-V5X6-CC87: OpenClaw: When 'Localhost' Isn't Local (And Your AI Agent Betrays You)

#security #cve #cybersecurity #ghsa

OpenClaw: When 'Localhost' Isn't Local (And Your AI Agent Betrays You)

Vulnerability ID: GHSA-XC7W-V5X6-CC87
CVSS Score: 9.8
Published: 2026-02-17

OpenClaw (formerly Moltbot), an autonomous AI agent framework, contained a critical authentication bypass in its BlueBubbles webhook integration. The vulnerability stemmed from an implicit trust of requests originating from loopback addresses (127.0.0.1). When deployed behind reverse proxies or tunnels, external requests appeared local to the application, allowing remote attackers to bypass authentication completely. This flaw is currently being exploited in the wild to hijack AI agents and exfiltrate credentials.

TL;DR

The OpenClaw AI agent framework blindly trusted any network request coming from '127.0.0.1'. Because reverse proxies (like Nginx or Cloudflare Tunnel) forward traffic locally, this allowed the entire internet to send authenticated commands to your internal AI agent without a password. Active exploitation is confirmed.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-290 (Auth Bypass by Spoofing)
  • CVSS Score: 9.8 (Critical)
  • Attack Vector: Network
  • Impact: Critical (RCE, Data Exfiltration)
  • Exploit Status: Active / Exploited in the Wild
  • KEV Status: Listed

Affected Systems

  • OpenClaw Gateway
  • OpenClaw BlueBubbles Extension
  • OpenClaw: < v2026.2.12 (Fixed in: v2026.2.12)

Code Analysis

Commit: f836c38

Removed implicit loopback trust check in BlueBubbles monitor

- if (remote === "127.0.0.1") return true;
Enter fullscreen mode Exit fullscreen mode

Commit: 743f4b2

Added proxy detection and timing-safe password comparison

+ if (isDirectLocalLoopbackRequest(req)) ...
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Bitdefender Labs: Active exploitation observed delivering Python reverse shells via agent skills.

Mitigation Strategies

  • Update OpenClaw immediately to a patched version.
  • Enforce password authentication for all webhook endpoints.
  • Deploy agents in isolated environments (containers/VMs) rather than bare metal.
  • Use VPNs or mTLS for accessing internal AI tools.

Remediation Steps:

  1. Stop the OpenClaw service.
  2. Pull the latest version (v2026.2.12+).
  3. Verify that the BlueBubbles extension configuration includes a non-empty password.
  4. Restart the service and check logs for successful authentication of incoming webhooks.

References

Read the full report for GHSA-XC7W-V5X6-CC87 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)