GHSA-J26J-7QC4-3MRF OpenClaw: MS Teams fileConsent/invoke missing conversation binding allowed cross-conversation pending-upload consumption

Summary In openclaw MS Teams file-consent flow, pending uploads were authorized by uploadId alone. fileConsent/invoke did not verify the invoke conversation against the conversation that created the pending upload. Impact An attacker who obtained a valid uploadId within TTL could trigger...

Missing Authorization

Overview @openclaw/msteams is an OpenClaw Microsoft Teams channel plugin Affected versions of this package are vulnerable to Missing Authorization via fileConsent/invoke. An attacker can access or manipulate pending file uploads belonging to other conversations by providing a valid uploadId withi...

OpenClaw: MS Teams fileConsent/invoke missing conversation binding allowed cross-conversation pending-upload consumption

Summary In openclaw MS Teams file-consent flow, pending uploads were authorized by uploadId alone. fileConsent/invoke did not verify the invoke conversation against the conversation that created the pending upload. Impact An attacker who obtained a valid uploadId within TTL could trigger...