CVE-2026-41365
5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability in MS Teams thread history fetched via Graph API. Attackers can retrieve thread messages that should be filtered by sender allowlists, bypassing message filtering restrictions.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| OpenClaw | OpenClaw | 0 < 2026.3.31 | affected |
| OpenClaw | OpenClaw | 2026.3.31 | unaffected |
Weaknesses
- CWE-441: CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-chfm-xgc4-47rj
- https://github.com/openclaw/openclaw/commit/5cca38084074fb5095aa11b6a59820d63e4937c9
- https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-via-graph-api-thread-history
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.