GHSA-7VWX-582J-J332

Vulnerability from github – Published: 2026-02-17 21:38 – Updated: 2026-02-17 21:38
VLAI?
Summary
OpenClaw MS Teams inbound attachment downloader leaks bearer tokens to allowlisted suffix domains
Details

Summary

NOTE: This only affects deployments that enable the optional MS Teams extension (Teams channel). If you do not use MS Teams, you are not impacted.

When OpenClaw downloads inbound MS Teams attachments / inline images, it may retry a URL with an Authorization: Bearer <token> header after receiving 401 or 403.

Because the default download allowlist uses suffix matching (and includes some multi-tenant suffix domains), a message that references an untrusted but allowlisted host could cause that bearer token to be sent to the wrong place.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Vulnerable: <= 2026.1.30
  • Patched: >= 2026.2.1

Fix

  • Fix commit: 41cc5bcd4f1d434ad1bbdfa55b56f25025ecbf6b
  • Upgrade to openclaw >= 2026.2.1

Workarounds

  • If you do not need MS Teams, disable the MS Teams extension.
  • If you must stay on an older version, ensure the auth host allowlist is strict (only Microsoft-owned endpoints that require auth) and avoid wildcard or broad suffix entries.

Credits

Thanks @yueyueL for reporting.

Severity ?
7.4 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T21:38:14Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nNOTE: This only affects deployments that enable the optional MS Teams extension (Teams channel). If you do not use MS Teams, you are not impacted.\n\nWhen OpenClaw downloads inbound MS Teams attachments / inline images, it may retry a URL with an `Authorization: Bearer \u003ctoken\u003e` header after receiving `401` or `403`.\n\nBecause the default download allowlist uses suffix matching (and includes some multi-tenant suffix domains), a message that references an untrusted but allowlisted host could cause that bearer token to be sent to the wrong place.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Vulnerable: `\u003c= 2026.1.30`\n- Patched: `\u003e= 2026.2.1`\n\n## Fix\n\n- Fix commit: `41cc5bcd4f1d434ad1bbdfa55b56f25025ecbf6b`\n- Upgrade to `openclaw \u003e= 2026.2.1`\n\n## Workarounds\n\n- If you do not need MS Teams, disable the MS Teams extension.\n- If you must stay on an older version, ensure the auth host allowlist is strict (only Microsoft-owned endpoints that require auth) and avoid wildcard or broad suffix entries.\n\n## Credits\n\nThanks @yueyueL for reporting.",
  "id": "GHSA-7vwx-582j-j332",
  "modified": "2026-02-17T21:38:14Z",
  "published": "2026-02-17T21:38:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7vwx-582j-j332"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/41cc5bcd4f1d434ad1bbdfa55b56f25025ecbf6b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw MS Teams inbound attachment downloader leaks bearer tokens to allowlisted suffix domains"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.