Summary
The BlueBubbles channel's auto-allowlist for the configured serverUrl doesn't cover the react action. Reactions to messages fail with:
Blocked hostname or private/internal/special-use IP address
Environment
- OpenClaw version:
2026.4.1
- BlueBubbles serverUrl:
http://192.168.x.x:1234 (private IP)
- macOS
Steps to reproduce
- Configure BlueBubbles with a private IP serverUrl
- Receive a message via BlueBubbles webhook (works fine)
- Send a reply via
message action=send (works fine)
- Try to react via
message action=react → blocked by SSRF
Expected behavior
The SSRF auto-allowlist fix from #27648 should cover all BlueBubbles API calls, not just attachment fetches.
Relevant changelog entry
BlueBubbles/SSRF: auto-allowlist the configured serverUrl hostname for attachment fetches so localhost/private-IP BlueBubbles setups are no longer false-blocked by default SSRF checks.
This fix appears to only apply to attachment fetches, leaving reactions (and possibly other actions like edit/unsend) blocked.
Workaround
None found. There's no documented config to allowlist private IPs for channel plugin API calls.
Summary
The BlueBubbles channel's auto-allowlist for the configured
serverUrldoesn't cover thereactaction. Reactions to messages fail with:Environment
2026.4.1http://192.168.x.x:1234(private IP)Steps to reproduce
message action=send(works fine)message action=react→ blocked by SSRFExpected behavior
The SSRF auto-allowlist fix from #27648 should cover all BlueBubbles API calls, not just attachment fetches.
Relevant changelog entry
This fix appears to only apply to attachment fetches, leaving reactions (and possibly other actions like edit/unsend) blocked.
Workaround
None found. There's no documented config to allowlist private IPs for channel plugin API calls.