Main Vulnerability Database Vulnerabilities #VU126429

Missing Authorization in OpenClaw - #VU126429

Published: April 17, 2026

Vulnerability identifier: #VU126429

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to bypass sender authorization checks.

The vulnerability exists due to improper access control in the Microsoft Teams SSO invoke handler when processing signin invoke requests. A remote user can send a crafted invoke from a disallowed sender to bypass sender authorization checks.

The issue affects SSO signin invoke handling, while normal message handling applies sender allowlist checks.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-gc9r-867r-j85f
https://github.com/advisories/GHSA-gc9r-867r-j85f

Missing Authorization in OpenClaw - #VU126429

Detailed vulnerability description

Remediation

Sources

Please verify you're human