CVE-2026-62224

Summary

OpenClaw MS Teams before 2026.5.12 contain an authorization bypass vulnerability where the allowFrom feature binds to mutable display names. Attackers with lower-trust access can perform actions requiring stronger authorization by exploiting the mutable display name binding in the affected feature.

Affected Software

VendorProductVersion RangeStatus
openclawmsteams0 < 2026.5.12affected
openclawmsteams2026.5.12unaffected

Weaknesses

  • CWE-290: Authentication Bypass by Spoofing
  • CWE-863: Incorrect Authorization

References