Insertion of Sensitive Information Into Sent Data in OpenClaw - CVE-2026-28481
Published: May 4, 2026
Vulnerability identifier: #VU129489
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-28481
CWE-ID: CWE-201
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to insertion of sensitive information into sent data in the MS Teams inbound attachment downloader when retrying attachment or inline image URLs after receiving 401 or 403 responses. A remote attacker can send a message that references an untrusted but allowlisted host to disclose sensitive information.
Only deployments with the optional MS Teams extension enabled are affected, and user interaction is required.
How to mitigate CVE-2026-28481
Install security update from vendor's website.