EUVD-2026-36537

parse-server: Server option routeAllowList is bypassable through batch sub-requests...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the policy resolution process in the Google Chat and Zalouser extensions. An attacker can gain unauthorized interaction with bots by exploiting a flaw where...

CVE-2026-33578 OpenClaw < 2026.3.28 - Sender Policy Allowlist Bypass via Policy Downgrade in Google Chat and Zalouser Extensions

OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and interact with bots...

GHSA-XG59-F45V-9R9J Duplicate Advisory: OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-g7cr-9h7q-4qxq. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows...

Duplicate Advisory: OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-g7cr-9h7q-4qxq. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows...

CVE-2026-34509

...

CVE-2026-34509 OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesiz...

CVE-2026-34509

OpenClaw CVE-2026-34509 affects the Microsoft Teams plugin prior to version 2026.3.8. The vulnerability is a sender allowlist bypass: if a team/channel route allowlist uses an empty groupAllowFrom parameter, the message handler synthesizes wildcard sender authorization, allowing any sender within...

CVE-2026-34506

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesiz...

CVE-2026-34506 OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesiz...

CVE-2026-34506

CVE-2026-34506 concerns the OpenClaw Microsoft Teams plugin. In versions prior to 2026.3.8, a sender allowlist bypass exists when a team/channel route allowlist is configured with an empty groupAllowFrom parameter. The message handler synthesizes wildcard sender authorization, allowing any sender...

Authentication Bypass by Alternate Name

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name in the Microsoft Teams group sender authorization process when a route allowlist is configured and the sender allowlist is empty. An attacker can...

GHSA-G7CR-9H7Q-4QXQ OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty

OpenClaw's Microsoft Teams plugin widened group sender authorization when a team/channel route allowlist was configured but groupAllowFrom was empty. Before the fix, a matching route allowlist entry could cause the message handler to synthesize wildcard sender authorization for that route, allowi...