CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 2026/04/28 6:10 p.m.•25 views

CVE-2026-41406 OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Thread History and Quoted Messages

5.4CVSS0.00045EPSS

EUVD•added 2026/04/28 6:10 p.m.•0 views

EUVD-2026-26113

5.4CVSS5.3AI score0.00045EPSS

CVE•added 2026/04/28 6:10 p.m.•1 views

CVE-2026-41406

OpenClaw (npm) is affected by CVE-2026-41406: before 2026.3.31, a sender allowlist bypass via thread history and quoted messages allows remote attackers to access restricted messages. The root cause is bypassing the sender allowlist by exploiting fetched quoted, root, and thread context messages....

5.4CVSS5.4AI score0.00045EPSS

Exploits0References3Affected Software1

ATTACKERKB•added 2026/04/28 6:10 p.m.•1 views

CVE-2026-41406

5.4CVSS5.3AI score0.00045EPSS

OSV•added 2026/04/28 12:31 a.m.•1 views

GHSA-8PF2-VJ79-4WXG Duplicate Advisory: OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-chfm-xgc4-47rj. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability in MS Teams thread history fetched via Gra...

5.4CVSS5.7AI score0.00034EPSS

NVD•added 2026/04/28 12:16 a.m.•3 views

CVE-2026-41365

OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability in MS Teams thread history fetched via Graph API. Attackers can retrieve thread messages that should be filtered by sender allowlists, bypassing message filtering restrictions...

5.4CVSS0.00034EPSS

Positive Technologies•added 2026/04/28 12:0 a.m.•0 views

PT-2026-35789

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.31 Description A sender allowlist bypass allows remote attackers to access restricted messages. This is achieved by exploiting fetched quoted, root, and thread context messages to circumvent restrictions and...

5.4CVSS5.8AI score0.00045EPSS

Exploits0References7

Cvelist•added 2026/04/27 11:24 p.m.•29 views

CVE-2026-41365 OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Graph API Thread History

5.4CVSS0.00034EPSS

Vulnrichment•added 2026/04/27 11:24 p.m.•1 views

CVE-2026-41365 OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Graph API Thread History

ATTACKERKB•added 2026/04/27 11:24 p.m.•1 views

CVE-2026-41365

CVE•added 2026/04/27 11:24 p.m.•4 views

CVE-2026-41365

OpenClaw prior to 2026.3.31 has a sender allowlist bypass in MS Teams thread history fetched via Graph API, allowing retrieval of messages that should be filtered by sender allowlists. Root cause: bypass of sender filtering when collecting thread history. Impact: potential exposure of non-filtere...

Exploits0References3Affected Software1

Positive Technologies•added 2026/04/27 12:0 a.m.•1 views

PT-2026-35553

OSV•added 2026/04/24 12:31 a.m.•1 views

GHSA-7HRG-5W46-5R2X Duplicate Advisory: OpenClaw: Slack thread context could include messages from non-allowlisted senders

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qm77-8qjp-4vcm. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages ...

5.4CVSS5.7AI score0.00017EPSS

EUVD•added 2026/04/24 12:31 a.m.•2 views

EUVD-2026-25342

OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user replies to bypass sender access controls and manipulate model context...

5.4CVSS5.8AI score0.00017EPSS