OpenClaw versions before 2026.3.8 contain a sender allowlist bypass vulnerability in the Microsoft Teams plugin. The vulnerability occurs when a team/channel route allowlist is configured with an empty groupAllowFrom parameter. This configuration causes the message handler to synthesize wildcard sender authorization, allowing any sender in the matched team/channel to bypass intended authorization checks. Unauthorized senders can trigger replies in allowlisted Teams routes, potentially compromising the security controls designed to restrict message handling to authorized users only.