OpenClaw MS Teams Sender Allowlist Bypass Vulnerability via Graph API
Vulnerability
A sender allowlist bypass vulnerability has been identified in OpenClaw versions prior to 2026.3.31. This vulnerability occurs in the Microsoft Teams integration, where thread history fetched through the Graph API bypasses sender allowlist restrictions. As a result, attackers can access thread messages that should have been filtered out, effectively circumventing the intended message filtering controls.
Impact
Exploitation of this vulnerability allows for unauthorized access to thread messages in Microsoft Teams, bypassing sender allowlist restrictions and potentially leading to the exposure of sensitive information.
Reproduction
To reproduce this vulnerability, use OpenClaw versions through 2026.3.28 and send a request to fetch thread history from the Graph API. Ensure that the messages being retrieved include those from senders not on the allowlist. The response will include messages that should have been filtered out, demonstrating the bypass.
Remediation
Users can upgrade to OpenClaw version 2026.3.31 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.