Medium severity5.4NVD Advisory· Published Apr 28, 2026· Updated Apr 28, 2026
CVE-2026-41365
CVE-2026-41365
Description
OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability in MS Teams thread history fetched via Graph API. Attackers can retrieve thread messages that should be filtered by sender allowlists, bypassing message filtering restrictions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.31 | 2026.3.31 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/openclaw/openclaw/commit/5cca38084074fb5095aa11b6a59820d63e4937c9nvdPatchWEB
- github.com/advisories/GHSA-chfm-xgc4-47rjghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-chfm-xgc4-47rjnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-41365ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-via-graph-api-thread-historynvdThird Party AdvisoryWEB
- github.com/openclaw/openclaw/releases/tag/v2026.3.31ghsaWEB
News mentions
0No linked articles in our index yet.