CVE-2026-34506

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.8

Description The software contains a sender allowlist bypass issue in its Microsoft Teams plugin. This allows unauthorized senders to circumvent authorization checks. Specifically, when a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler creates wildcard sender authorization. This permits any sender within the matched team/channel to initiate replies in allowlisted Teams routes.

Recommendations Update to version 2026.3.8 or later.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-289CWE-863

Related Identifiers

CVE-2026-34506

GHSA-G7CR-9H7Q-4QXQ

GHSA-XG59-F45V-9R9J

Affected Products

Teams Plugin

Openclaw

CVE-2026-34506

Weakness Enumeration

Related Identifiers

Affected Products

References · 8