CVE-2026-62205 in OpenClaw
Summary
by MITRE • 07/17/2026
OpenClaw versions 2026.4.12-beta.1 before 2026.6.6 contain a missing-authorization vulnerability in the MS Teams message actions feature. When the affected feature is enabled and reachable, a lower-trust caller or a configured input path can perform actions that should have required a stronger authorization or policy check. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. The issue is fixed in 2026.6.6.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability identified in OpenClaw versions 2026.4.12-beta.1 through 2026.6.5 represents a critical authorization bypass flaw that undermines the security controls governing Microsoft Teams message actions within the platform. This weakness falls under the category of insufficient authorization checks, which is classified as CWE-863 in the Common Weakness Enumeration catalog and aligns with ATT&CK technique T1078.004 for Valid Accounts and T1531 for Account Access Removal. The vulnerability specifically affects the MS Teams message actions feature where proper access controls fail to validate whether incoming requests originate from authorized entities with appropriate privileges.
The technical implementation of this flaw occurs when the affected feature remains enabled and accessible through reachable network paths, creating an attack surface where less privileged users or malicious actors can exploit the missing authorization checks. This condition allows lower-trust callers to execute operations that should normally require elevated permissions or specific policy validations. The vulnerability's exploitation potential varies significantly based on the system configuration and the ability of untrusted inputs to reach the vulnerable endpoint, making it particularly dangerous in environments where input validation is insufficient.
From an operational perspective, this authorization bypass can enable attackers to perform unauthorized actions within Microsoft Teams integration features, potentially leading to message manipulation, access to sensitive communications, or disruption of collaboration workflows. The impact severity depends on how the platform operator has configured access controls and whether proper network segmentation exists between trusted and untrusted user domains. The vulnerability's remediation in version 2026.6.6 demonstrates that the issue was addressed through proper authorization validation mechanisms that ensure only properly authenticated and authorized entities can execute message actions within the Teams integration.
Organizations utilizing affected OpenClaw versions should immediately implement mitigations including disabling the vulnerable MS Teams message actions feature until the patch is applied, implementing network-level restrictions to limit access to the affected endpoints, and conducting thorough security assessments of their Microsoft Teams integrations. The fix in version 2026.6.6 likely includes enhanced authorization checks that validate user credentials and permissions before executing Teams message actions, aligning with security best practices for API endpoint protection and following principles from the OWASP API Security Top 10. This vulnerability highlights the importance of proper access control implementation and demonstrates how seemingly minor authorization gaps can create significant security risks in collaborative platforms.