Summary
MSTeams thread history bypasses sender allowlist via Graph API
Current Maintainer Triage
- Status: open
- Normalized severity: medium
- Assessment: Real in shipped v2026.3.28 MS Teams because Graph-fetched thread history bypasses sender allowlists, with unreleased mainline filtering fix.
Affected Packages / Versions
- Package:
openclaw (npm)
- Latest published npm version:
2026.3.31
- Vulnerable version range:
<=2026.3.28
- Patched versions:
>= 2026.3.31
- First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
5cca38084074fb5095aa11b6a59820d63e4937c9 — 2026-03-30T15:38:26+01:00
OpenClaw thanks @AntAISecurityLab for reporting.
References
Summary
MSTeams thread history bypasses sender allowlist via Graph API
Current Maintainer Triage
Affected Packages / Versions
openclaw(npm)2026.3.31<=2026.3.28>= 2026.3.31v2026.3.31Fix Commit(s)
5cca38084074fb5095aa11b6a59820d63e4937c9— 2026-03-30T15:38:26+01:00OpenClaw thanks @AntAISecurityLab for reporting.
References