Description
OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Microsoft Teams SSO invoke handler that fails to apply sender allowlist checks. Attackers can bypass sender authorization by sending SSO invoke requests that are processed without proper validation, allowing unauthorized access to Teams SSO signin functionality.
Published: 2026-05-05
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw versions 2026.4.10 through 2026.4.13 contain a missing authorization check in the Microsoft Teams SSO invoke handler. The flaw prevents the handler from enforcing the sender allowlist, allowing attackers to craft SSO invoke requests that are processed without proper validation. This gives an attacker unauthorized access to the Teams SSO signin functionality, effectively bypassing access controls and potentially exposing sensitive information or enabling further compromise.

Affected Systems

The vulnerability affects the OpenClaw software produced by the OpenClaw vendor. Specifically, versions 2026.4.10, 2026.4.11, 2026.4.12, and 2026.4.13 of OpenClaw are affected. The product is a Node.js application and is listed in the Common Platform Enumeration as openclaw:openclaw. The affected environment typically hosts integrations with Microsoft Teams SSO.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity, with medium impact to confidentiality and integrity if exploitation is successful. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation to date. Based on the description, the likely attack vector is remote; an adversary can send malicious invoke requests over the network to the handler endpoint. No special privileges or local access are required beyond the ability to direct requests to the affected service.

Generated by OpenCVE AI on May 5, 2026 at 12:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.14 or later, which includes the authorization fix.
  • Verify that the sender allowlist configuration is properly enabled after the upgrade.
  • Monitor inbound SSO invoke traffic for anomalous requests and block unauthorized senders as a temporary defensive measure.

Generated by OpenCVE AI on May 5, 2026 at 12:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gc9r-867r-j85f OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks
History

Tue, 05 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Microsoft Teams SSO invoke handler that fails to apply sender allowlist checks. Attackers can bypass sender authorization by sending SSO invoke requests that are processed without proper validation, allowing unauthorized access to Teams SSO signin functionality.
Title OpenClaw 2026.4.10 < 2026.4.14 - Missing Sender Authorization in Microsoft Teams SSO Invoke Handler
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-862
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-05T14:24:46.058Z

Reserved: 2026-05-01T16:58:23.117Z

Link: CVE-2026-43572

cve-icon Vulnrichment

Updated: 2026-05-05T14:24:33.406Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-05T12:16:21.023

Modified: 2026-05-05T19:32:49.650

Link: CVE-2026-43572

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T12:45:24Z

Weaknesses