CVE-2026-28481
Received Received - Intake
Bearer Token Disclosure in OpenClaw MS Teams Attachment Downloader

Publication date: 2026-03-05

Last updated on: 2026-03-17

Assigner: VulnCheck

Description
OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams attachment downloader (optional extension must be enabled) that leaks bearer tokens to allowlisted suffix domains. When retrying downloads after receiving 401 or 403 responses, the application sends Authorization bearer tokens to untrusted hosts matching the permissive suffix-based allowlist, enabling token theft.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-28481
EUVD
EUVD-2026-9927
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.1.30 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenClaw versions 2026.1.30 and earlier, specifically in the MS Teams attachment downloader feature, which is an optional extension. When this feature is enabled, the application may leak bearer tokens to domains that match a permissive suffix-based allowlist. This happens when the application retries downloads after receiving 401 or 403 HTTP responses, sending Authorization bearer tokens to untrusted hosts that fit the allowlist criteria. This behavior enables attackers to steal these tokens.

Impact Analysis

The impact of this vulnerability is information disclosure through token theft. Attackers who receive leaked bearer tokens can potentially use them to impersonate legitimate users or gain unauthorized access to resources or services that accept these tokens. This can lead to unauthorized access to sensitive information or systems.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, update OpenClaw to version 2026.2.1 or later, where the information disclosure issue in the MS Teams attachment downloader has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28481. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart