CVE-2026-35654

MEDIUM

OpenClaw < 2026.3.25 - Authorization Bypass in Microsoft Teams Feedback Invoke

Title source: cna

Description

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback invokes that allows unauthorized senders to record session feedback. Attackers can bypass sender allowlist checks via feedback invoke endpoints to trigger unauthorized feedback recording or reflection.

References (3)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-rf6h-5gpw-qrgq

[Patch] https://github.com/openclaw/openclaw/commit/c5415a474bb085404c20f8b312e436997977b1ea

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-microsoft-teams-feedback-invoke

Scores

CVSS v3 5.3

EPSS 0.0004

EPSS Percentile 10.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-288

Status published

Products (4)

npm/openclaw 0 - 2026.3.28npm

OpenClaw/OpenClaw < 2026.3.25

openclaw/openclaw < 2026.3.25

OpenClaw/OpenClaw 2026.3.25

Published Apr 10, 2026

Tracked Since Apr 10, 2026