Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesizes wildcard sender authorization, permitting any sender in the matched team/channel to trigger replies in allowlisted Teams routes.
AnalysisAI
Authorization bypass in OpenClaw's Microsoft Teams plugin allows unauthenticated remote attackers to circumvent sender allowlists and trigger replies in restricted Teams routes. Affecting OpenClaw versions before 2026.3.8, the flaw manifests when team/channel route allowlists contain empty groupAllowFrom parameters, causing the message handler to synthesize wildcard sender authorization instead of enforcing intended restrictions. No public exploit identified at time of analysis, though CVSS 7.5 reflects network-accessible exploitation with low complexity requiring no authentication. Vendor-released patch available in version 2026.3.8 with upstream commit 88aee916.
Technical ContextAI
OpenClaw is a communication orchestration framework that integrates with Microsoft Teams to route and process messages based on configured allowlists. This vulnerability stems from CWE-863 (Incorrect Authorization), specifically a logic flaw in the Teams plugin's message handler. When administrators configure team/channel route allowlists but leave the groupAllowFrom parameter empty, the code incorrectly interprets this as a wildcard authorization grant rather than a restrictive null value. The affected component (cpe:2.3:a:openclaw:openclaw) synthesizes sender permissions dynamically, and the empty parameter triggers a fallback behavior that permits any sender within the matched team/channel context to bypass intended access controls. This represents a configuration-based authorization failure where the absence of explicit allow rules is mishandled as implicit permission rather than denial.
RemediationAI
Upgrade to OpenClaw version 2026.3.8 or later, which contains the authorization logic fix implemented in commit 88aee9161e0e6d32e810a25711e32a808a1777b2. Organizations unable to immediately upgrade should audit Microsoft Teams plugin configurations to ensure all team/channel route allowlists have explicitly populated groupAllowFrom parameters rather than empty values, which will prevent the wildcard synthesis behavior. Review existing allowlist configurations using the vendor advisory guidance at https://github.com/openclaw/openclaw/security/advisories/GHSA-g7cr-9h7q-4qxq and consult VulnCheck advisory https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-in-microsoft-teams-plugin-via-route-allowlist-configuration-2 for additional mitigation strategies. As an interim workaround, disable team/channel route allowlist features if not operationally required, or implement explicit sender restrictions using populated groupAllowFrom arrays until patching is completed.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17395
GHSA-hwf5-6844-rpxj