CVE-2026-35654: OpenClaw auth bypass on Teams

CISO Take

OpenClaw's Microsoft Teams integration contains a broken allowlist check on its feedback invoke endpoints, allowing any unauthenticated network actor to inject arbitrary session feedback without credentials or user interaction. While EPSS data is unavailable and the CVE is not in CISA KEV, the CVSS vector (AV:N/AC:L/PR:N/UI:N) means exploitation requires zero skill — any attacker who can reach the endpoint can abuse it. In AI agent deployments where session feedback influences agent behavior, memory updates, or fine-tuning pipelines, unauthorized feedback injection is an integrity risk that materially exceeds what the CVSS 5.3 score suggests. Upgrade to OpenClaw 2026.3.25 immediately and restrict feedback invoke endpoints to authorized senders at the network layer pending patching.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

Medium baseline severity elevated by a zero-barrier exploitation profile (AV:N/AC:L/PR:N/UI:N). The vulnerability itself has limited direct impact — integrity only, no confidentiality or availability effect. However, OpenClaw's 395 prior CVEs signal a historically weak security posture, and any feedback channel feeding into an AI agent's behavioral loop represents a slow-burn integrity vector. With only 4 downstream dependents, blast radius is constrained, but the agentic context amplifies impact beyond traditional software vulnerabilities.

How does the attack unfold?

Endpoint Discovery

Attacker identifies a publicly accessible OpenClaw instance with Microsoft Teams feedback invoke endpoints exposed, requiring no credentials or prior reconnaissance beyond a network scan.

AML.T0006

Authorization Bypass

Attacker crafts HTTP requests to the feedback invoke endpoint that circumvent sender allowlist validation (CWE-288), gaining unauthorized write access to the feedback recording function.

AML.T0049

Feedback Injection

Attacker submits fabricated session feedback — false quality ratings or adversarial content flagged as high-quality — which gets persisted as legitimate agent session data via AI Agent Tool Invocation.

AML.T0053

Context Poisoning

Injected feedback corrupts the agent's behavioral feedback loop or fine-tuning data over time, silently shifting agent responses toward attacker-desired outcomes without triggering obvious alerts.

AML.T0080

Endpoint Discovery

Attacker identifies a publicly accessible OpenClaw instance with Microsoft Teams feedback invoke endpoints exposed, requiring no credentials or prior reconnaissance beyond a network scan.

AML.T0006

Authorization Bypass

Attacker crafts HTTP requests to the feedback invoke endpoint that circumvent sender allowlist validation (CWE-288), gaining unauthorized write access to the feedback recording function.

AML.T0049

Feedback Injection

Attacker submits fabricated session feedback — false quality ratings or adversarial content flagged as high-quality — which gets persisted as legitimate agent session data via AI Agent Tool Invocation.

AML.T0053

Context Poisoning

Injected feedback corrupts the agent's behavioral feedback loop or fine-tuning data over time, silently shifting agent responses toward attacker-desired outcomes without triggering obvious alerts.

AML.T0080

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

5.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I Low

A None

What should I do?

5 steps

Upgrade to OpenClaw ≥2026.3.25 (patch commit c5415a474bb085404c20f8b312e436997977b1ea).
Restrict feedback invoke endpoint access to authorized Microsoft Teams sender IPs and domains at the network or reverse-proxy layer.
Audit existing feedback logs for anomalous or unexpected entries prior to patching to detect pre-patch abuse windows.
Inventory all 4 downstream dependents and verify they inherit the patched version.
If immediate patching is not feasible, disable the Microsoft Teams feedback invoke integration entirely as a temporary workaround.

How is it classified?

Auth Bypass Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0080 - AI Agent Context Poisoning

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9 - Information security for AI systems

NIST AI RMF

GOVERN 1.1 - Policies and procedures for AI risk

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-35654?

OpenClaw's Microsoft Teams integration contains a broken allowlist check on its feedback invoke endpoints, allowing any unauthenticated network actor to inject arbitrary session feedback without credentials or user interaction. While EPSS data is unavailable and the CVE is not in CISA KEV, the CVSS vector (AV:N/AC:L/PR:N/UI:N) means exploitation requires zero skill — any attacker who can reach the endpoint can abuse it. In AI agent deployments where session feedback influences agent behavior, memory updates, or fine-tuning pipelines, unauthorized feedback injection is an integrity risk that materially exceeds what the CVSS 5.3 score suggests. Upgrade to OpenClaw 2026.3.25 immediately and restrict feedback invoke endpoints to authorized senders at the network layer pending patching.

Is CVE-2026-35654 actively exploited?

No confirmed active exploitation of CVE-2026-35654 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35654?

1. Upgrade to OpenClaw ≥2026.3.25 (patch commit c5415a474bb085404c20f8b312e436997977b1ea). 2. Restrict feedback invoke endpoint access to authorized Microsoft Teams sender IPs and domains at the network or reverse-proxy layer. 3. Audit existing feedback logs for anomalous or unexpected entries prior to patching to detect pre-patch abuse windows. 4. Inventory all 4 downstream dependents and verify they inherit the patched version. 5. If immediate patching is not feasible, disable the Microsoft Teams feedback invoke integration entirely as a temporary workaround.

What systems are affected by CVE-2026-35654?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, Microsoft Teams AI integrations, feedback-driven training pipelines, conversational AI deployments.

What is the CVSS score for CVE-2026-35654?

CVE-2026-35654 has a CVSS v3.1 base score of 5.3 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksMicrosoft Teams AI integrationsfeedback-driven training pipelinesconversational AI deployments

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0080 AI Agent Context Poisoning

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.9

NIST AI RMF: GOVERN 1.1

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback invokes that allows unauthorized senders to record session feedback. Attackers can bypass sender allowlist checks via feedback invoke endpoints to trigger unauthorized feedback recording or reflection.

Exploitation Scenario

An attacker identifies a publicly reachable OpenClaw instance with Microsoft Teams integration enabled. Without credentials, they send crafted HTTP requests directly to the feedback invoke endpoint, bypassing sender allowlist validation (CWE-288). The attacker submits fabricated feedback — for example, marking harmful or incorrect agent responses as high-quality — which gets persisted as legitimate session data. If the organization uses this feedback for agent tuning or behavioral reinforcement, the injected data gradually shifts agent outputs in attacker-desired directions, achieving silent context poisoning through the trusted feedback channel over days or weeks.

Weaknesses (CWE)

CWE-288 Authentication Bypass Using an Alternate Path or Channel

CWE-288 — Authentication Bypass Using an Alternate Path or Channel: The product requires authentication, but the product has an alternate path or channel that does not require authentication.

[Architecture and Design] Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

Source: MITRE CWE corpus.