OpenClaw Missing Authorization Vulnerability in Microsoft Teams SSO Invoke Handler
Vulnerability
A missing authorization vulnerability has been identified in OpenClaw versions 2026.4.10 prior to 2026.4.14. The issue resides in the Microsoft Teams Single Sign-On (SSO) invoke handler, which fails to implement sender allowlist checks. This oversight allows attackers to bypass sender authorization by sending SSO invoke requests that are processed without adequate validation, granting unauthorized access to Teams SSO sign-in functionality.
Impact
Exploitation of this vulnerability could lead to unauthorized access to Microsoft Teams SSO sign-in features, allowing users to sign in without proper authorization checks.
Reproduction
To reproduce this vulnerability, send an SSO invoke request to the Microsoft Teams integration of OpenClaw versions 2026.4.10 prior to 2026.4.14. The request will be processed without the necessary sender authorization, bypassing allowlist checks and granting unauthorized access to SSO sign-in functionality.
Remediation
Users are advised to upgrade to OpenClaw version 2026.4.14 or later, as this version includes the necessary fix. The latest npm release, 2026.4.14, already contains the patch.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.