How to fix CVE-2026-34509?

Within 24 hours: Identify all OpenClaw deployments and confirm current plugin versions against 2026.3.8. Within 7 days: Upgrade all instances to OpenClaw 2026.3.8 or later (commit 88aee916 minimum). Within 30 days: Audit Teams routes with empty groupAllowFrom parameters in allowlist configurations and validate sender restrictions are properly enforced post-upgrade.

Is Microsoft affected by CVE-2026-34509?

OpenClaw's Microsoft Teams plugin (versions before 2026.3.8) contains an authorization bypass that allows unauthenticated attackers to bypass sender allowlists and inject messages into restricted Teams channels, potentially compromising communication integrity and enabling impersonation of trusted…

CVE-2026-34509

EUVD-2026-17395 LOW

2026-03-31 VulnCheck

GHSA-hwf5-6844-rpxj

2.3

CVSS 4.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 31, 2026 - 11:45 vuln.today

EUVD ID Assigned

Mar 31, 2026 - 11:45 euvd

EUVD-2026-17395

Patch Released

Mar 31, 2026 - 11:45 nvd

Patch available

CVE Published

Mar 31, 2026 - 11:17 nvd

LOW 2.3

Description

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesizes wildcard sender authorization, permitting any sender in the matched team/channel to trigger replies in allowlisted Teams routes.

Analysis

Authorization bypass in OpenClaw's Microsoft Teams plugin allows unauthenticated remote attackers to circumvent sender allowlists and trigger replies in restricted Teams routes. Affecting OpenClaw versions before 2026.3.8, the flaw manifests when team/channel route allowlists contain empty groupAllowFrom parameters, causing the message handler to synthesize wildcard sender authorization instead of enforcing intended restrictions. …

Remediation

Within 24 hours: Identify all OpenClaw deployments and confirm current plugin versions against 2026.3.8. Within 7 days: Upgrade all instances to OpenClaw 2026.3.8 or later (commit 88aee916 minimum). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +12

POC: 0

CVE-2026-34509 vulnerability details – vuln.today

Back

CVE-2026-34509

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-34509

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code