Skip to main content

Microsoft CVE-2026-34509

| EUVDEUVD-2026-17395 LOW
Incorrect Authorization (CWE-863)
2026-03-31 VulnCheck GHSA-hwf5-6844-rpxj
2.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 31, 2026 - 11:45 euvd
EUVD-2026-17395
Analysis Generated
Mar 31, 2026 - 11:45 vuln.today
Patch released
Mar 31, 2026 - 11:45 nvd
Patch available
CVE Published
Mar 31, 2026 - 11:17 nvd
LOW 2.3

DescriptionCVE.org

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesizes wildcard sender authorization, permitting any sender in the matched team/channel to trigger replies in allowlisted Teams routes.

AnalysisAI

Authorization bypass in OpenClaw's Microsoft Teams plugin allows unauthenticated remote attackers to circumvent sender allowlists and trigger replies in restricted Teams routes. Affecting OpenClaw versions before 2026.3.8, the flaw manifests when team/channel route allowlists contain empty groupAllowFrom parameters, causing the message handler to synthesize wildcard sender authorization instead of enforcing intended restrictions. No public exploit identified at time of analysis, though CVSS 7.5 reflects network-accessible exploitation with low complexity requiring no authentication. Vendor-released patch available in version 2026.3.8 with upstream commit 88aee916.

Technical ContextAI

OpenClaw is a communication orchestration framework that integrates with Microsoft Teams to route and process messages based on configured allowlists. This vulnerability stems from CWE-863 (Incorrect Authorization), specifically a logic flaw in the Teams plugin's message handler. When administrators configure team/channel route allowlists but leave the groupAllowFrom parameter empty, the code incorrectly interprets this as a wildcard authorization grant rather than a restrictive null value. The affected component (cpe:2.3:a:openclaw:openclaw) synthesizes sender permissions dynamically, and the empty parameter triggers a fallback behavior that permits any sender within the matched team/channel context to bypass intended access controls. This represents a configuration-based authorization failure where the absence of explicit allow rules is mishandled as implicit permission rather than denial.

RemediationAI

Upgrade to OpenClaw version 2026.3.8 or later, which contains the authorization logic fix implemented in commit 88aee9161e0e6d32e810a25711e32a808a1777b2. Organizations unable to immediately upgrade should audit Microsoft Teams plugin configurations to ensure all team/channel route allowlists have explicitly populated groupAllowFrom parameters rather than empty values, which will prevent the wildcard synthesis behavior. Review existing allowlist configurations using the vendor advisory guidance at https://github.com/openclaw/openclaw/security/advisories/GHSA-g7cr-9h7q-4qxq and consult VulnCheck advisory https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-in-microsoft-teams-plugin-via-route-allowlist-configuration-2 for additional mitigation strategies. As an interim workaround, disable team/channel route allowlist features if not operationally required, or implement explicit sender restrictions using populated groupAllowFrom arrays until patching is completed.

Share

CVE-2026-34509 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy