Primary

Context

OpenClaw Authorization Bypass Vulnerability in Microsoft Teams Feedback Invoke

Vulnerability

A vulnerability allowing authorization bypass in Microsoft Teams feedback invokes has been identified in OpenClaw versions prior to 2026.3.25. This vulnerability allows unauthorized senders to record session feedback by bypassing sender allowlist checks through feedback invoke endpoints.

Impact

Exploitation of this vulnerability allows unauthorized recording of feedback or triggering of feedback reflection for sessions, bypassing established sender authorization protocols.

Reproduction

The vulnerability can be reproduced by sending a feedback invoke from an unauthorized sender in a direct message or group chat. The feedback will be recorded, and any associated reflection will be triggered, despite the sender not being on the allowlist.

Remediation

Users can update to OpenClaw version 2026.3.25 or later to address this vulnerability.

Added: Apr 10, 2026, 6:22 PM

Updated: Apr 10, 2026, 6:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

8.4

remediation

0.0

relevance

5.6

threat

4.8

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

8.4

remediation

0.0

relevance

5.6

threat

4.8

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw Authorization Bypass Vulnerability in Microsoft Teams Feedback Invoke

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating