Problem
BlueBubbles runs locally and serves attachment downloads at http://127.0.0.1:1234/api/v1/attachment/*/download. The gateway's SSRF guard blocks these as private/internal IPs, so all inbound images from iMessage are silently dropped.
Evidence
[security] blocked URL fetch (url-fetch) target=http://127.0.0.1:1234/api/v1/attachment/8B70AA46-B99C-497A-990E-4EBC9FEE091C/download reason=Blocked hostname or private/internal/special-use IP address
This happens consistently for every image attachment. Multiple blocked fetches in gateway.err.log.
Root Cause
appendResolvedMediaFromAttachments() calls fetchRemoteMedia() without passing ssrfPolicy, so it defaults to the strict SSRF guard that blocks localhost/private IPs.
Suggested Fix
Either:
- Add
channels.bluebubbles.allowPrivateNetwork: true config option (like channels.tlon already has)
- Or auto-detect that BB URLs are on the configured BB server address and pass
{ allowPrivateNetwork: true } to fetchRemoteMedia()
Environment
- OpenClaw 2026.3.2
- BlueBubbles running on same machine (localhost:1234)
- macOS, M1 Ultra
Problem
BlueBubbles runs locally and serves attachment downloads at
http://127.0.0.1:1234/api/v1/attachment/*/download. The gateway's SSRF guard blocks these as private/internal IPs, so all inbound images from iMessage are silently dropped.Evidence
This happens consistently for every image attachment. Multiple blocked fetches in
gateway.err.log.Root Cause
appendResolvedMediaFromAttachments()callsfetchRemoteMedia()without passingssrfPolicy, so it defaults to the strict SSRF guard that blocks localhost/private IPs.Suggested Fix
Either:
channels.bluebubbles.allowPrivateNetwork: trueconfig option (likechannels.tlonalready has){ allowPrivateNetwork: true }tofetchRemoteMedia()Environment