High severityNVD Advisory· Published Mar 19, 2026· Updated Mar 20, 2026
OpenClaw < 2026.2.22 - Redirect Chain Bypass of Media Host Allowlist in MSTeams Attachment Handling
CVE-2026-32037
Description
OpenClaw versions prior to 2026.2.22 fail to consistently validate redirect chains against configured mediaAllowHosts allowlists during MSTeams media downloads. Attackers can supply or influence attachment URLs to force redirects to non-allowlisted targets, bypassing SSRF boundary controls.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.2.22 | 2026.2.22 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5cghsapatchWEB
- github.com/openclaw/openclaw/commit/b34097f62df9d1960cc22600269cd3f3284e2124ghsapatchWEB
- github.com/advisories/GHSA-w76h-8m22-hpghghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-w76h-8m22-hpghghsathird-party-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-32037ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-redirect-chain-bypass-of-media-host-allowlist-in-msteams-attachment-handlingghsathird-party-advisoryWEB
News mentions
0No linked articles in our index yet.