Microsoft Teams users running OpenClaw versions up to 2026.3.28 face a medium-severity vulnerability. Thread history fetched through the Microsoft Graph API bypasses sender allowlists. Attackers or untrusted sources could slip restricted messages past filters, exposing organizations to phishing or data leaks.
OpenClaw, an npm package for Teams integration, implements sender allowlists to block messages from specified domains or users. This setup aims to enforce compliance in enterprise environments, where IT teams restrict communications to trusted parties. However, when the tool pulls conversation history via Graph API endpoints like /chats/{id}/messages or /teams/{id}/channels/{id}/messages, it skips these checks. The fetched data lands unfiltered in the local cache or processing pipeline.
The Vulnerability Details
Researchers at AntAISecurityLab discovered the issue and reported it to OpenClaw maintainers. The flaw exists in all versions <=2026.3.28, including the shipped release 2026.3.28. Maintainers confirmed it as real, triaging it as medium severity—normalized score not specified but aligned with CVSS-like metrics for bypass flaws.
Graph API delivers full thread context, including historical messages from any sender. OpenClaw’s implementation failed to reapply allowlist logic post-fetch. A proof-of-concept likely involves joining a channel, triggering history sync, and observing blocked sender content appear. No exploitation in the wild reported yet, but the vector suits insider threats or compromised accounts with Graph permissions.
Microsoft Graph requires delegated or application permissions like Chat.Read, ChannelMessage.Read.All. In Teams clients or bots using OpenClaw, these scopes often run with elevated access. The bypass undermines layered defenses: even if real-time messaging respects allowlists, history does not.
Why This Matters
Organizations rely on Teams for 300 million daily active users as of 2023, per Microsoft stats. Sender allowlists prevent shadow IT, block malicious domains, and support regulations like GDPR or HIPAA by isolating comms. This flaw erodes that control. Consider a finance firm whitelisting only internal domains— a phishing thread from weeks ago, fetched via history, could resurface and trick users.
Broader context: Teams security incidents spiked 40% year-over-year in 2023, per Proofpoint reports, often via API abuse. Graph’s power enables bulk data pulls, making bypasses high-impact. OpenClaw users in security ops or monitoring tools amplify risks—tools scanning for threats might ingest and propagate blocked content, creating false positives or exfil paths.
Skeptically, the issue seems straightforward: a filtering oversight in one code path. Not zero-day catastrophic, but sloppy for a security-focused package. Maintainers acted fast—fix landed March 30, 2026, in commit 5cca38084074fb5095aa11b6a59820d63e4937c9, bumping to 2026.3.31. Mainline includes unreleased hardening, suggesting proactive audit.
Implications extend to supply chain: npm’s 2 million packages mean transitive deps pull in OpenClaw unwittingly. Socket.dev or similar scanners flagged it promptly, but lag in updates leaves exposures. In regulated sectors, this triggers audit findings, forcing patches and reviews.
Fix and Mitigation
Upgrade immediately to OpenClaw >=2026.3.31. The patch enforces allowlist checks on all Graph-fetched payloads. Run
npm update openclaw or pin in package.json. Verify via npm ls openclaw.
Short-term: Disable history sync or revoke Graph scopes if unused. Monitor Graph logs in Azure AD for anomalous Read queries—filter by app ID tied to OpenClaw. Test allowlists post-upgrade: craft a thread with blocked sender, fetch history, confirm filtering.
For Teams admins, enforce Conditional Access Policies on Graph endpoints. Limit history depth with API params like $top=50. Audit all npm deps with npm audit weekly—OpenClaw’s status remains “open,” so watch for CVEs.
This underscores API pitfalls in collaboration tools. Developers: always sanitize external data fetches. Teams grows; so do its attack surface. Stay vigilant—patch now, or risk history biting back.
