Authorization Bypass Vulnerability in OpenClaw for Microsoft Teams
CVE-2026-35654

6.9MEDIUM

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-35654?

OpenClaw versions prior to 2026.3.25 are susceptible to an authorization bypass vulnerability that affects the Microsoft Teams feedback invokes. This flaw can be exploited by unauthorized users to capture feedback sessions without permission, compromising the intended functionality of sender allowlist checks. Attackers are able to invoke feedback recording endpoints, enabling them to trigger unauthorized reflection and feedback submissions. Users of OpenClaw are strongly recommended to upgrade to the latest version to mitigate this security risk.

Affected Version(s)

OpenClaw 0 < 2026.3.25

OpenClaw 2026.3.25

References

https://github.com/openclaw/openclaw/security/advisories/...

third-party-advisory

https://github.com/openclaw/openclaw/commit/c5415a474bb08...

patch

https://www.vulncheck.com/advisories/openclaw-authorizati...

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Apr 4, 2026

Credit

Peng Zhou (@zpbrent)

CVE-2026-35654 Data

JSON

Openclaw

What is CVE-2026-35654?

Affected Version(s)

References

CVSS V4

Timeline

Credit