OpenClaw versions prior to 2026.2.22 fail to consistently validate redirect chains against the configured mediaAllowHosts allowlist when handling Microsoft Teams attachments. This flaw allows an attacker who can influence attachment URLs to force a chain of redirects that ultimately reaches a host not included in the allowlist, effectively bypassing the software’s SSRF (Server‑Side Request Forgery) boundary controls. The vulnerability is identified as CWE‑918, which denotes unsafe or incorrect handling of redirects. The consequence is that an attacker may be able to generate requests from the OpenClaw environment to internal or otherwise protected resources, exposing sensitive data or enabling further exploitation.

This issue affects all OpenClaw:OpenClaw products running any Node.js‑based OpenClaw version prior to 2026.2.22. No more granular version ranges are listed; therefore any deployment of OpenClaw that has not been upgraded beyond the 2026.2.22 release is impacted.

The CVSS score is 2.3, indicating a low base severity. EPSS information is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting that widespread exploitation has not been observed yet. However, the flaw’s exploitation requires control over the attachment URL (for example, within a Microsoft Teams environment), which may be feasible for insiders or compromised users. The primary attack vector is through the Microsoft Teams attachment handling pathway, specifically during media download operations. Given the lack of publicly disclosed exploits, the immediate risk is considered low, but the potential for internal SSRF remains a concern for environments that rely on strict allowlist enforcement.