CVE-2026-28481 Overview
OpenClaw versions 2026.1.30 and earlier contain an information disclosure vulnerability in the MS Teams attachment downloader extension. When enabled, the optional extension uses a permissive suffix-based allowlist for host validation. Upon receiving 401 or 403 HTTP responses during attachment downloads, the application automatically retries the request and sends Authorization bearer tokens to untrusted hosts that match the suffix-based allowlist pattern. This enables attackers controlling domains with matching suffixes to intercept and steal authentication tokens.
Critical Impact
Bearer token theft could allow attackers to impersonate users, access sensitive MS Teams data, and potentially pivot to other integrated services using the stolen credentials.
Affected Products
- OpenClaw versions 2026.1.30 and earlier
- OpenClaw MS Teams attachment downloader extension (when enabled)
Discovery Timeline
- 2026-03-05 - CVE CVE-2026-28481 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28481
Vulnerability Analysis
This vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data). The flaw exists in the MS Teams attachment downloader extension's retry logic for handling failed download attempts. When the downloader receives a 401 (Unauthorized) or 403 (Forbidden) response, it implements a retry mechanism that includes the Authorization bearer token in subsequent requests without properly validating whether the target host is authorized to receive sensitive authentication credentials.
The root issue stems from the allowlist implementation using suffix-based matching rather than strict domain validation. This approach means that any domain ending with an allowlisted suffix (such as microsoft.com) would be considered trusted, allowing malicious domains like attacker-microsoft.com to receive bearer tokens during retry attempts.
Root Cause
The vulnerability originates from insufficient validation in the host authorization logic for authentication retries. The isUrlAllowed function performs suffix-based matching against the configured allowHosts list, but this check was applied identically for both general URL access and authentication credential transmission. The lack of a separate, stricter authAllowHosts validation for bearer token transmission created the security gap.
Attack Vector
An attacker can exploit this vulnerability by:
- Registering a domain that ends with an allowlisted suffix (e.g., evil-microsoft.com if microsoft.com is allowlisted)
- Hosting a malicious endpoint that returns 401 or 403 responses to trigger the retry mechanism
- Convincing a user to interact with a crafted MS Teams attachment link pointing to the attacker's domain
- Capturing the bearer token sent during the authentication retry attempt
The attack requires user interaction to access a malicious attachment link and the MS Teams extension must be enabled.
// Security patch in extensions/msteams/src/attachments/download.ts
// Source: https://github.com/openclaw/openclaw/commit/41cc5bcd4f1d434ad1bbdfa55b56f25025ecbf6b
isRecord,
isUrlAllowed,
normalizeContentType,
+ resolveAuthAllowedHosts,
resolveAllowedHosts,
} from "./shared.js";
The patch introduces a new resolveAuthAllowedHosts function to provide separate, stricter validation for hosts that are permitted to receive authentication credentials.
// Security patch in extensions/msteams/src/attachments/graph.ts
// Source: https://github.com/openclaw/openclaw/commit/41cc5bcd4f1d434ad1bbdfa55b56f25025ecbf6b
tokenProvider?: MSTeamsAccessTokenProvider;
maxBytes: number;
allowHosts?: string[];
+ authAllowHosts?: string[];
fetchFn?: typeof fetch;
/** When true, embeds original filename in stored path for later extraction. */
preserveFilenames?: boolean;
The fix adds a new authAllowHosts configuration parameter, separating general URL access permissions from authentication credential transmission permissions.
Detection Methods for CVE-2026-28481
Indicators of Compromise
- Outbound HTTP requests containing Authorization headers to domains outside of known Microsoft infrastructure
- Failed authentication attempts (401/403 responses) followed by retry requests to suspicious domains
- Bearer tokens transmitted to non-Microsoft domains matching suffix patterns
Detection Strategies
- Monitor network traffic for Authorization bearer tokens sent to non-standard Microsoft domains
- Implement logging for MS Teams attachment download retry events and their target URLs
- Alert on authentication retries where the retry target differs from the original request domain
Monitoring Recommendations
- Enable verbose logging for the MS Teams attachment downloader extension
- Review outbound connections from OpenClaw instances for unusual domain patterns
- Audit the configured allowlist entries and validate they use strict domain matching
How to Mitigate CVE-2026-28481
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.1 or later which contains the security fix
- Review and restrict the MS Teams attachment downloader allowlist configuration
- If upgrade is not immediately possible, consider temporarily disabling the MS Teams attachment downloader extension
Patch Information
The vulnerability has been patched in OpenClaw version 2026.2.1. The fix implements a separate authAllowHosts configuration that provides stricter validation specifically for bearer token transmission. Users should update to this version to receive the security fix. For detailed patch information, see the GitHub Security Advisory and the commit reference.
Workarounds
- Disable the MS Teams attachment downloader extension if not required for operations
- Implement network-level controls to block outbound bearer token transmission to non-Microsoft domains
- Configure a restrictive authAllowHosts list after upgrading, limiting authentication credential transmission to strictly verified Microsoft endpoints
# Configuration example - Restricting allowed hosts after patching
# In your OpenClaw configuration, specify strict auth-allowed hosts:
OPENCLAW_MSTEAMS_AUTH_ALLOW_HOSTS="graph.microsoft.com,teams.microsoft.com"
OPENCLAW_MSTEAMS_ALLOW_HOSTS="*.microsoft.com,*.microsoftonline.com"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
