Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
MS Teams Integration in OpenClaw Allows Unauthorized File Access
GHSA-j26j-7qc4-3mrf
Summary
OpenClaw's MS Teams integration had a bug that let attackers access files from the wrong conversation. This affected users who had their upload IDs, which are used to manage file uploads. To fix this, update OpenClaw to the latest version, which is 2026.2.25 or later.
What to do
- Update openclaw to version 2026.2.25.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.24 | 2026.2.25 |
Original title
OpenClaw: MS Teams fileConsent/invoke missing conversation binding allowed cross-conversation pending-upload consumption
Original description
### Summary
In `openclaw` MS Teams file-consent flow, pending uploads were authorized by `uploadId` alone. `fileConsent/invoke` did not verify the invoke conversation against the conversation that created the pending upload.
### Impact
An attacker who obtained a valid `uploadId` within TTL could trigger cross-conversation upload completion (accept path) or cancel a victim pending upload (decline path).
### Technical Details
- Pending uploads stored `conversationId`, but invoke handling consumed by `uploadId` only.
- The invoke path did not enforce conversation binding before `uploadToConsentUrl(...)` and pending-upload removal.
- Fix binds accept/decline handling to normalized conversation id match before consuming pending upload state.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version (as of February 26, 2026): `2026.2.24`
- Vulnerable range: `<= 2026.2.24`
- Patched in release: `2026.2.25`
### Remediation
Upgrade to `openclaw` `2026.2.25` (or later) once published.
### Fix Commit(s)
- `347f7b9550064f5f5b33c6e07f64e85b9657b6f1`
### Release Process Note
`patched_versions` is pre-set to the release (`2026.2.25`). Advisory published with npm release `2026.2.25`.
OpenClaw thanks @tdjackey for reporting.
In `openclaw` MS Teams file-consent flow, pending uploads were authorized by `uploadId` alone. `fileConsent/invoke` did not verify the invoke conversation against the conversation that created the pending upload.
### Impact
An attacker who obtained a valid `uploadId` within TTL could trigger cross-conversation upload completion (accept path) or cancel a victim pending upload (decline path).
### Technical Details
- Pending uploads stored `conversationId`, but invoke handling consumed by `uploadId` only.
- The invoke path did not enforce conversation binding before `uploadToConsentUrl(...)` and pending-upload removal.
- Fix binds accept/decline handling to normalized conversation id match before consuming pending upload state.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version (as of February 26, 2026): `2026.2.24`
- Vulnerable range: `<= 2026.2.24`
- Patched in release: `2026.2.25`
### Remediation
Upgrade to `openclaw` `2026.2.25` (or later) once published.
### Fix Commit(s)
- `347f7b9550064f5f5b33c6e07f64e85b9657b6f1`
### Release Process Note
`patched_versions` is pre-set to the release (`2026.2.25`). Advisory published with npm release `2026.2.25`.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
5.3
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
CWE-862
Missing Authorization
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026