Lucene search
+L

18 matches found

cve
cve
added 2026/04/28 6:10 p.m.9 views

CVE-2026-41406

OpenClaw (npm) is affected by CVE-2026-41406: before 2026.3.31, a sender allowlist bypass via thread history and quoted messages allows remote attackers to access restricted messages. The root cause is bypassing the sender allowlist by exploiting fetched quoted, root, and thread context messages....

5.4CVSS5.4AI score0.00225EPSS
Exploits0References3Affected Software1
attackerkb
attackerkb
added 2026/04/28 6:10 p.m.7 views

CVE-2026-41406

OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability that allows remote attackers to access restricted messages. Attackers can exploit fetched quoted, root, and thread context messages to bypass sender allowlist restrictions and retrieve unauthorized content...

5.4CVSS5.3AI score0.00225EPSS
Exploits0References4
cvelist
cvelist
added 2026/04/28 6:10 p.m.33 views

CVE-2026-41406 OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Thread History and Quoted Messages

OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability that allows remote attackers to access restricted messages. Attackers can exploit fetched quoted, root, and thread context messages to bypass sender allowlist restrictions and retrieve unauthorized content...

5.4CVSS0.00225EPSS
Exploits0References3
euvd
euvd
added 2026/04/28 6:10 p.m.5 views

EUVD-2026-26113

OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability that allows remote attackers to access restricted messages. Attackers can exploit fetched quoted, root, and thread context messages to bypass sender allowlist restrictions and retrieve unauthorized content...

5.4CVSS5.3AI score0.00225EPSS
Exploits0References3
nvd
nvd
added 2026/04/28 12:16 a.m.10 views

CVE-2026-41365

OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability in MS Teams thread history fetched via Graph API. Attackers can retrieve thread messages that should be filtered by sender allowlists, bypassing message filtering restrictions...

5.4CVSS0.00177EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/04/28 12:0 a.m.9 views

PT-2026-35789

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.31 Description A sender allowlist bypass allows remote attackers to access restricted messages. This is achieved by exploiting fetched quoted, root, and thread context messages to circumvent restrictions and...

5.4CVSS5.8AI score0.00225EPSS
Exploits0References7
cve
cve
added 2026/04/27 11:24 p.m.26 views

CVE-2026-41365

OpenClaw prior to 2026.3.31 has a sender allowlist bypass in MS Teams thread history fetched via Graph API, allowing retrieval of messages that should be filtered by sender allowlists. Root cause: bypass of sender filtering when collecting thread history. Impact: potential exposure of non-filtere...

5.4CVSS5.2AI score0.00177EPSS
Exploits0References3Affected Software1
cvelist
cvelist
added 2026/04/27 11:24 p.m.37 views

CVE-2026-41365 OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Graph API Thread History

OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability in MS Teams thread history fetched via Graph API. Attackers can retrieve thread messages that should be filtered by sender allowlists, bypassing message filtering restrictions...

5.4CVSS0.00177EPSS
Exploits0References3
osv
osv
added 2026/04/27 11:24 p.m.2 views

CVE-2026-41365 OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Graph API Thread History

OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability in MS Teams thread history fetched via Graph API. Attackers can retrieve thread messages that should be filtered by sender allowlists, bypassing message filtering restrictions...

5.3CVSS5.9AI score0.00177EPSS
Exploits0References5
ptsecurity
ptsecurity
added 2026/04/27 12:0 a.m.11 views

PT-2026-35553

OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability in MS Teams thread history fetched via Graph API. Attackers can retrieve thread messages that should be filtered by sender allowlists, bypassing message filtering restrictions...

5.4CVSS5.2AI score0.00177EPSS
Exploits0References4
euvd
euvd
added 2026/04/10 4:3 p.m.5 views

EUVD-2026-21454

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback invokes that allows unauthorized senders to record session feedback. Attackers can bypass sender allowlist checks via feedback invoke endpoints to trigger unauthorized feedback recording or...

6.9CVSS5.8AI score0.00227EPSS
Exploits0References3
euvd
euvd
added 2026/03/31 12:31 p.m.13 views

EUVD-2026-17395

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesiz...

4.3CVSS5.9AI score0.00025EPSS
Exploits0References4
euvd
euvd
added 2026/03/31 12:31 p.m.3 views

EUVD-2026-17391

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesiz...

4.3CVSS5.9AI score0.00267EPSS
Exploits0References4
cvelist
cvelist
added 2026/03/31 11:17 a.m.27 views

CVE-2026-34509

...

0.00025EPSS
Exploits0
vulnrichment
vulnrichment
added 2026/03/31 11:17 a.m.5 views

CVE-2026-34509 OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesiz...

4.3CVSS5.9AI score0.00025EPSS
Exploits0References3
cve
cve
added 2026/03/31 11:17 a.m.9 views

CVE-2026-34509

OpenClaw CVE-2026-34509 affects the Microsoft Teams plugin prior to version 2026.3.8. The vulnerability is a sender allowlist bypass: if a team/channel route allowlist uses an empty groupAllowFrom parameter, the message handler synthesizes wildcard sender authorization, allowing any sender within...

4.3CVSS5.9AI score0.00025EPSS
Exploits0
osv
osv
added 2026/03/31 11:17 a.m.4 views

CVE-2026-34506 OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesiz...

2.3CVSS6AI score0.00267EPSS
Exploits0References5
ptsecurity
ptsecurity
added 2026/03/31 12:0 a.m.17 views

PT-2026-29237

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesiz...

7.5CVSS5.9AI score0.00267EPSS
Exploits0References4
Rows per page
Query Builder