OpenClaw Microsoft Teams Plugin Sender Allowlist Bypass (CVE-2026-34506)
OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin, allowing unauthorized senders to bypass intended authorization checks due to improper handling of empty groupAllowFrom parameters, potentially leading to information disclosure.
OpenClaw, a Microsoft Teams plugin, is vulnerable to a sender allowlist bypass (CVE-2026-34506) in versions prior to 2026.3.8. The vulnerability stems from a misconfiguration issue where an empty groupAllowFrom parameter in the team/channel route allowlist leads to the synthesis of wildcard sender authorization. This allows any sender within the matched team/channel to trigger replies in allowlisted Teams routes, effectively bypassing intended authorization checks. This vulnerability was…
Detection coverage 2
Detect OpenClaw Route Allowlist Misconfiguration
mediumDetects when OpenClaw is configured with an empty 'groupAllowFrom' parameter in a team/channel route allowlist.
Detect Unauthorized Sender in OpenClaw Allowlisted Route
highDetects messages from unauthorized senders in OpenClaw allowlisted routes when the 'groupAllowFrom' parameter is empty.
Detection queries are kept inside the platform. Get full rules →