GHSA-rf6h-5gpw-qrgq

Suggest an improvement
Source
https://github.com/advisories/GHSA-rf6h-5gpw-qrgq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-rf6h-5gpw-qrgq/GHSA-rf6h-5gpw-qrgq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rf6h-5gpw-qrgq
Aliases
  • CVE-2026-35654
Downstream
Published
2026-03-29T15:49:50Z
Modified
2026-04-10T17:25:07Z
Summary
OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback
Details

Summary

MS Teams Feedback Invoke Bypasses Sender Allowlists and Records Unauthorized Session Feedback

Affected Packages / Versions

  • Package: openclaw
  • Affected versions: <= 2026.3.24
  • First patched version: 2026.3.25
  • Latest published npm version at verification time: 2026.3.24

Details

Microsoft Teams feedback invokes previously bypassed sender authorization and could record feedback or trigger reflection for unauthorized senders. Commit c5415a474bb085404c20f8b312e436997977b1ea applies the same DM and group authorization checks to feedback invokes.

Verified vulnerable on tag v2026.3.24 and fixed on main by commit c5415a474bb085404c20f8b312e436997977b1ea.

Fix Commit(s)

  • c5415a474bb085404c20f8b312e436997977b1ea
Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-29T15:49:50Z",
    "cwe_ids": [
        "CWE-288",
        "CWE-863"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.3.28

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-rf6h-5gpw-qrgq/GHSA-rf6h-5gpw-qrgq.json"
last_known_affected_version_range 
"<= 2026.3.24"