CVE-2026-43572
Missing Authorization in OpenClaw Teams SSO Invoke Handler
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.4.14 (exc) |
| openclaw | openclaw | 2026.4.14 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
OpenClaw versions 2026.4.10 through 2026.4.13 contain a missing authorization vulnerability in the Microsoft Teams Single Sign-On (SSO) invoke handler. This vulnerability occurs because the handler fails to apply sender allowlist checks before processing SSO sign-in requests. As a result, attackers can bypass sender authorization by sending specially crafted SSO invoke requests that are processed without proper validation.
This allows unauthorized users to trigger Teams SSO sign-in flows, potentially gaining unauthorized access or exchanging tokens without permission.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to Microsoft Teams Single Sign-On functionality within OpenClaw. Attackers exploiting this flaw can bypass sender authorization checks and initiate SSO sign-in processes without proper validation.
The impact includes potential unauthorized access to user accounts or services that rely on Teams SSO, which could lead to unauthorized token exchange or access to sensitive information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring Microsoft Teams Single Sign-On (SSO) invoke requests to identify unauthorized or unexpected SSO sign-in attempts that bypass sender allowlist checks.
Since the vulnerability allows unauthorized SSO invoke requests to be processed without proper validation, you can look for unusual or unauthorized SSO invoke traffic in your logs or network captures.
The patch introduced detailed logging for blocked attempts specifying whether the denial was due to direct message (DM), channel, or group chat restrictions. Reviewing logs for such blocked attempts or unexpected SSO invoke requests can help detect exploitation attempts.
Specific commands are not provided in the resources, but general approaches include:
- Inspect application logs for Microsoft Teams SSO invoke handler entries indicating blocked or unauthorized sign-in attempts.
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze traffic for unusual SSO invoke requests.
- Search logs for patterns of SSO invoke requests coming from senders not in the allowlist or from unexpected sources.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to upgrade OpenClaw to version 2026.4.14 or later, where the vulnerability has been fixed.
The fix enforces sender allowlist checks on Microsoft Teams SSO sign-in invokes, ensuring only authorized senders can trigger SSO sign-in flows.
Until the upgrade is applied, monitor and restrict SSO invoke requests where possible, and review logs for unauthorized access attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.