OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended auth…

OpenClaw versions before 2026.3.8 contain a sender allowlist bypass vulnerability in the Microsoft Teams plugin. The vulnerability occurs when a team/channel route allowlist is configured with an empty groupAllowFrom parameter, causing the message handler to synthesize wildcard sender authorization. This allows any sender in the matched team/channel to bypass intended authorization checks and trigger replies in allowlisted Teams routes. The vulnerability enables unauthorized senders to perform actions they should not have access to within the Teams integration.