CVE-2026-28481
Bearer Token Disclosure in OpenClaw MS Teams Attachment Downloader
Publication date: 2026-03-05
Last updated on: 2026-03-17
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.1.30 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions 2026.1.30 and earlier, specifically in the MS Teams attachment downloader feature, which is an optional extension. When this feature is enabled, the application may leak bearer tokens to domains that match a permissive suffix-based allowlist. This happens when the application retries downloads after receiving 401 or 403 HTTP responses, sending Authorization bearer tokens to untrusted hosts that fit the allowlist criteria. This behavior enables attackers to steal these tokens.
How can this vulnerability impact me? :
The impact of this vulnerability is information disclosure through token theft. Attackers who receive leaked bearer tokens can potentially use them to impersonate legitimate users or gain unauthorized access to resources or services that accept these tokens. This can lead to unauthorized access to sensitive information or systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update OpenClaw to version 2026.2.1 or later, where the information disclosure issue in the MS Teams attachment downloader has been patched.