CVE-2026-35654.yaml
1 info: 2 name: openclaw 3 cve: CVE-2026-35654 4 summary: OpenClaw before 2026.3.25 authorization bypass in Microsoft Teams feedback invoke 5 details: OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback invokes that 6 allows unauthorized senders to record session feedback. Attackers can bypass sender allowlist checks via feedback invoke 7 endpoints to trigger unauthorized feedback recording or reflection. 8 cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 9 severity: MEDIUM 10 security_advise: Upgrade openclaw to version 2026.3.25 or later. 11 references: 12 - https://github.com/openclaw/openclaw/commit/c5415a474bb085404c20f8b312e436997977b1ea 13 - https://github.com/openclaw/openclaw/security/advisories/GHSA-rf6h-5gpw-qrgq 14 - https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-microsoft-teams-feedback-invoke 15 rule: version < "2026.3.25" 16 references: 17 - https://github.com/openclaw/openclaw/commit/c5415a474bb085404c20f8b312e436997977b1ea 18 - https://github.com/openclaw/openclaw/security/advisories/GHSA-rf6h-5gpw-qrgq 19 - https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-microsoft-teams-feedback-invoke