DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-CHFM-XGC4-47RJ: GHSA-CHFM-XGC4-47RJ: Indirect Prompt Injection via Microsoft Teams History in OpenClaw

#security #cve #cybersecurity #ghsa

GHSA-CHFM-XGC4-47RJ: Indirect Prompt Injection via Microsoft Teams History in OpenClaw

Vulnerability ID: GHSA-CHFM-XGC4-47RJ
CVSS Score: 5.3
Published: 2026-04-02

OpenClaw personal AI assistant versions prior to v2026.3.31 contain a vulnerability in the Microsoft Teams integration. The software fails to enforce sender allowlist validation on historical thread messages retrieved via the Microsoft Graph API. This omission allows unauthorized participants in a shared thread to embed malicious instructions that the language model subsequently ingests and executes.

TL;DR

OpenClaw's MSTeams module performs authorization checks only on the user triggering the bot, ignoring the senders of historical messages in the thread. Attackers can perform Indirect Prompt Injection (IPI) by placing payloads in a thread context, which are executed when an authorized user interacts with the bot.

Technical Details

  • CWE ID: CWE-74 (Improper Neutralization of Special Elements)
  • Attack Vector: Network (Microsoft Teams API Integration)
  • Impact: Indirect Prompt Injection / Arbitrary Execution
  • Exploit Status: Proof of Concept Available
  • CISA KEV: False
  • Severity: Medium

Affected Systems

  • OpenClaw (NPM Package)
  • OpenClaw Microsoft Teams Integration (extensions/msteams)
  • openclaw: < 2026.3.31 (Fixed in: 2026.3.31)

Code Analysis

Commit: 5cca380

Fix: Apply resolveMSTeamsAllowlistMatch to historical messages in MSTeams monitor handler.

const threadMessages = groupPolicy === 'allowlist' ? allMessages.filter((msg) => { return resolveMSTeamsAllowlistMatch({ allowFrom: effectiveGroupAllowFrom, senderId: msg.from?.user?.id ?? '', senderName: msg.from?.user?.displayName, allowNameMatching, }).allowed; }) : allMessages;
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade the openclaw application to a patched release.
  • Enforce explicit allowlist policies for message ingestion.
  • Disable insecure identity validation configurations.

Remediation Steps:

  1. Update the openclaw NPM package to v2026.3.31 or newer.
  2. Configure the groupPolicy parameter to "allowlist" in the MSTeams integration settings.
  3. Ensure dangerouslyAllowNameMatching is disabled.
  4. Populate the groupAllowFrom list exclusively with immutable Azure AD Object IDs.

References

Read the full report for GHSA-CHFM-XGC4-47RJ on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)