CVE-2026-34506 in OpenClaw
摘要 (英语)
OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesizes wildcard sender authorization, permitting any sender in the matched team/channel to trigger replies in allowlisted Teams routes.
负责
VulnCheck
预定
2026-03-30
披露
2026-03-31
条目
VulDB provides additional information and datapoints for this CVE:
| 标识符 | 漏洞 | CWE | 可利用 | 对策 | CVE |
|---|---|---|---|---|---|
| 354354 | OpenClaw Microsoft Teams Plugin channel 权限提升 | 863 | 未定义 | 官方修复 | CVE-2026-34506 |