CVE-2026-28481

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.1

Description The software contains an information disclosure issue in the MS Teams attachment downloader (optional extension must be enabled). When retrying downloads after receiving 401 or 403 responses, the application sends Authorization bearer tokens to untrusted hosts matching the permissive suffix-based allowlist, potentially leading to token theft. The default download allowlist uses suffix matching, and a message referencing an untrusted but allowlisted host could cause the bearer token to be sent to the incorrect location.

Recommendations Upgrade to OpenClaw version 2026.2.1 or later. If the MS Teams extension is not needed, disable it. If upgrading is not possible, ensure the auth host allowlist is strict, including only Microsoft-owned endpoints that require authentication, and avoid wildcard or broad suffix entries.