CVE-2026-43572 Overview
CVE-2026-43572 is a missing authorization vulnerability [CWE-862] in OpenClaw versions 2026.4.10 through 2026.4.13. The flaw resides in the Microsoft Teams Single Sign-On (SSO) invoke handler, which fails to enforce sender allowlist checks. Attackers can submit SSO invoke requests that bypass sender authorization, gaining unauthorized access to Teams SSO signin functionality.
The vulnerability is exploitable over the network without authentication or user interaction. OpenClaw addressed the issue in version 2026.4.14 by introducing a unified isInvokeAuthorized function that enforces sender allowlist validation across SSO signin invokes.
Critical Impact
Unauthenticated network attackers can bypass sender allowlist checks in the Microsoft Teams SSO invoke handler, enabling unauthorized access to Teams SSO signin functionality.
Affected Products
- OpenClaw 2026.4.10 through 2026.4.13 (Node.js distribution)
- OpenClaw msteams extension monitor handler
- Microsoft Teams SSO invoke processing component
Discovery Timeline
- 2026-05-05 - CVE-2026-43572 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43572
Vulnerability Analysis
The vulnerability stems from incomplete authorization logic in the OpenClaw msteams extension. The handler at extensions/msteams/src/monitor-handler.ts previously applied sender allowlist validation only within isFeedbackInvokeAuthorized. SSO signin invokes were processed through a separate path that did not consult the sender allowlist.
Attackers can craft Microsoft Teams invoke activities targeting the SSO signin endpoint. The handler accepts these requests without verifying whether the sender appears in the configured allowlist. This permits unauthorized parties to interact with the SSO signin flow and trigger authentication-related operations they should not be able to access.
Root Cause
The root cause is a missing authorization check [CWE-862] for one class of invoke activity. The original implementation enforced sender access controls only for feedback invokes. SSO invokes used a different control path that omitted the resolveMSTeamsSenderAccess lookup, leaving the handler open to any sender.
Attack Vector
Exploitation requires sending a crafted Microsoft Teams SSO invoke activity to an OpenClaw deployment exposing the msteams extension. No credentials or user interaction are required. The attacker leverages the network-accessible bot endpoint to deliver the unauthorized invoke.
// Patch from extensions/msteams/src/monitor-handler.ts
// Refactored authorization helper now applied to all invoke types
-async function isFeedbackInvokeAuthorized(
- context: MSTeamsTurnContext,
- deps: MSTeamsMessageHandlerDeps,
-): Promise<boolean> {
+async function isInvokeAuthorized(params: {
+ context: MSTeamsTurnContext;
+ deps: MSTeamsMessageHandlerDeps;
+ deniedLogs: {
+ dm: string;
+ channel: string;
+ group: string;
+ };
+ includeInvokeName?: boolean;
+}): Promise<boolean> {
+ const { context, deps, deniedLogs, includeInvokeName = false } = params;
const resolved = await resolveMSTeamsSenderAccess({
cfg: deps.cfg,
activity: context.activity,
Source: GitHub commit 80b1fa1
Detection Methods for CVE-2026-43572
Indicators of Compromise
- SSO signin invoke activities from Teams sender identifiers absent from the configured allowlist.
- Authentication events triggered by SSO invokes without preceding allowlist authorization log entries.
- Unexpected Teams signin/tokenExchange or signin/verifyState invocations targeting the OpenClaw bot endpoint.
Detection Strategies
- Inspect OpenClaw application logs for SSO invoke processing records that lack a corresponding resolveMSTeamsSenderAccess decision.
- Correlate Teams bot activity logs with allowlist configuration to identify senders that should have been denied.
- Monitor outbound token exchange traffic from OpenClaw to Microsoft identity endpoints for anomalous frequency or unusual sender attribution.
Monitoring Recommendations
- Enable verbose logging on the msteams extension to capture invoke activity type, sender identity, and authorization outcome.
- Forward OpenClaw and Teams audit logs to a centralized analytics platform and alert on SSO invokes without allowlist evaluation.
- Track deployments of OpenClaw versions across the environment to identify hosts running 2026.4.10 through 2026.4.13.
How to Mitigate CVE-2026-43572
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.14 or later, which applies sender allowlist checks to all invoke types.
- Audit the msteams extension configuration to confirm the sender allowlist is populated and reflects only trusted Teams identities.
- Review historical Teams SSO signin invoke activity for requests originating from unauthorized senders.
Patch Information
The fix is delivered in OpenClaw 2026.4.14. Commit 80b1fa17bfc3f6a668492f0326ea52f48bb89776 replaces isFeedbackInvokeAuthorized with a generalized isInvokeAuthorized helper that enforces resolveMSTeamsSenderAccess for SSO signin invokes. See the GitHub Security Advisory GHSA-gc9r-867r-j85f and the VulnCheck advisory for full remediation guidance.
Workarounds
- Restrict network exposure of the OpenClaw msteams bot endpoint to trusted Microsoft Teams infrastructure ranges where feasible.
- Disable the Microsoft Teams SSO signin feature in OpenClaw configuration until the upgrade can be applied.
- Apply upstream proxy or gateway rules that drop Teams invoke activities from unrecognized tenant or sender identifiers.
# Upgrade OpenClaw to the patched release
npm install openclaw@2026.4.14
# Verify the installed version
npm list openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
