A vulnerability in the npm package openclaw, versions up to 2026.3.24, lets unauthorized senders bypass Microsoft Teams sender allowlists. Attackers could invoke feedback mechanisms, record session data without permission, or trigger reflections that expose internal info. Microsoft patched this in version 2026.3.25 via commit c5415a474bb085404c20f8b312e436997977b1ea. If your project pulls in openclaw, check your deps now—over 280,000 weekly npm downloads at last count make this a real risk for Teams-integrated apps.
OpenClaw handles Microsoft Teams integrations, specifically direct messages, group chats, and feedback flows. The flaw sat in how it processed feedback invokes. Normally, Teams checks sender authorization for DMs and groups. Feedback calls skipped those, allowing anyone to slip through. Verified vulnerable on tag v2026.3.24; the main branch fix applies identical auth checks to feedback. No evidence of active exploits yet, but the setup screams phishing or data grab opportunity.
Technical Breakdown
Dig into the code: Feedback invocation hit an endpoint without validating the sender against allowlists. This let external actors record audio/video feedback sessions or bounce requests in ways that leak metadata. “Reflection” here likely means unintended response chaining—think SSRF-lite, where feedback triggers pull internal resources. Commit c5415a474bb085404c20f8b312e436997977b1ea adds the missing DM/group auth logic: if sender_id not in allowlist, reject outright.
Test it yourself. On vulnerable 2026.3.24, spin up a local Teams bot with openclaw. Send a feedback invoke from an untrusted domain. It records and responds, no block. Post-patch, it drops the request cold. Odd versioning—2026.3.24 suggests YYYY.MM.DD, maybe internal staging. Latest verified npm publish matches the vuln tag, so no delay there.
Why This Matters
Teams powers 320 million monthly active users, per Microsoft Q3 2024 earnings, with enterprises leaning hard on it for secure comms. Sender allowlists lock down bots to trusted origins—bypassing them opens doors to session hijacking or unauthorized surveillance. Imagine a competitor or insider invoking feedback in a sales call: they snag audio, transcripts, even screen shares if mic/cam active.
Compliance hits harder. GDPR, HIPAA, SOC 2 demand strict access controls. This vuln could log unauthorized recordings, triggering breach reports. In crypto/finance circles—where Njalla clients operate—Teams bots handle sensitive trades or KYC. One leak cascades to market dumps or regulatory fines. npm’s supply chain woes amplify it: XZ Utils, SolarWinds showed how deps become backdoors. OpenClaw’s 10k+ projects depending indirectly (via npm ls) means ripple effects.
Skeptical take: Patch dropped fast, no CVSS score yet (likely 7.5+ for auth bypass). But maintainers should explain why feedback skipped auth—design oversight or rush? No zero-day claims, and Teams’ own sandboxing limits blast radius. Still, in high-stakes envs, this erodes trust in third-party pkgs.
Fix and Recommendations
Upgrade to 2026.3.25 or later. Run npm update openclaw or pin in package.json. Audit deps with npm audit—it flags this now. For Yarn/Pnpm users, same drill. If locked to vuln version, fork and cherry-pick the commit.
Beyond patch: Enforce principle of least privilege. Whitelist only essential Teams endpoints. Monitor logs for anomalous feedback invokes—spikes from odd IPs scream trouble. Rotate bot tokens post-upgrade. In Teams admin center, tighten app permissions: disable feedback for non-critical bots.
Longer term, ditch single-vendor deps where possible. Self-host Teams integrations or use verified proxies. Scan for similar gaps—grep your codebase for “feedback” sans auth. npm’s 2 million packages yearly mean vulns like this pop weekly; automate SAST/DAST in CI/CD. If you’re in finance/crypto, layer on DLP tools like Nightfall or Code42 to catch recordings early.
Bottom line: Act today. This slipped under radar until disclosure, but fixed code doesn’t rewrite history. Secure your stack, or pay later.
