CVE-2026-34509EXPLOITEDPATCHED

openclaw · openclaw

OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration

Description

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesizes wildcard sender authorization, permitting any sender in the matched team/channel to trigger replies in allowlisted Teams routes.

Affected Products

Vendor	Product	Versions
openclaw	openclaw	0

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-g7cr-9h7q-4qxq(third-party-advisory)
https://github.com/openclaw/openclaw/commit/88aee9161e0e6d32e810a25711e32a808a1777b2(patch)
https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-in-microsoft-teams-plugin-via-route-allowlist-configuration-2(third-party-advisory)

Related News (1 articles)

Tier C

VulDB10h ago

CVE-2026-34509 | OpenClaw up to 2026.3.7 Microsoft Teams Plugin team/channel groupAllowFrom authorization (GHSA-g7cr-9h7q-4qxq)

→ No new info (linked only)

CVSS 3.17.5 NONE

CISA KEV❌ No

Actively exploited✅ Yes

Patch available2026.3.8

CWECWE-863

PublishedMar 31, 2026

Last enriched10h agov2

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-34504EXP

OpenClaw < 2026.3.28 - Server-Side Request Forgery via Unguarded Image Download in fal Provider

Trending: 59

NONECVE-2026-33580EXP

OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication

Trending: 53

NONECVE-2026-33579EXP

OpenClaw < 2026.3.28 - Privilege Escalation via Missing Caller Scope Validation in Device Pair Approval

Trending: 53

NONECVE-2026-32917EXP

OpenClaw < 2026.3.13 - Remote Command Injection via Unsanitized iMessage Attachment Paths in SCP

Trending: 52

NONECVE-2026-32916EXP

OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthetic Admin Scopes

Trending: 43

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Mar 31, 2026

Discovered by ZDM

Mar 31, 2026

Updated: description, affectedVersions, severity, cvssEstimate, activelyExploited

Mar 31, 2026

Actively Exploited

Mar 31, 2026

Patch Available

Mar 31, 2026

Version History

Last enriched 10h ago

v2Tier C10h ago

Updated description with technical details, added affected version 2026.3.7, changed severity to HIGH, set CVSS estimate to 7.5, and noted that exploit is not available.

descriptionaffectedVersionsseveritycvssEstimateactivelyExploited

via VulDB

v110h ago

Initial creation