GHSA-gc9r-867r-j85f: OpenClaw auth bypass

CISO Take

The openclaw AI agent framework (npm) failed to apply sender allowlist checks to Microsoft Teams SSO invoke messages, allowing any Teams sender — including explicitly blocked parties — to trigger SSO authentication flows against the agent. While the CVSS score is unassigned and vendor-rated low, the actual risk scales with your openclaw deployment's permission scope: an agent with broad tool access or sensitive data exposure turns this auth bypass into a meaningful lateral movement vector within your Teams environment. The package has 135 previously disclosed CVEs, a pattern that signals sustained security debt rather than an isolated lapse. With no public exploits, no KEV listing, and only 4 downstream dependents, urgency is moderate — upgrade to openclaw 2026.4.14 immediately, then audit Teams channel sender configurations and review which tools your openclaw agent can invoke.

Sources: GitHub Advisory ATLAS CISA KEV

What is the risk?

Formal severity is low with no CVSS score assigned, but contextual risk is elevated for any organization running openclaw as a high-privilege Teams bot. CWE-862 (Missing Authorization) in an AI agent invoke handler creates an authorization boundary failure — the exact class of bug that enables lateral movement and privilege escalation when agents hold access to sensitive systems. The 135 prior CVEs on the same package suggest this is not an isolated patch but part of a recurring vulnerability pattern. No active exploitation evidence (no KEV, no EPSS, no public PoC) keeps immediate risk contained. Primary risk is insider threat escalation or external attacker with any Teams foothold bypassing sender restrictions to interact with the agent.

How does the attack unfold?

Target Identification

Attacker with Teams access identifies an openclaw bot deployed in a restricted channel or with denied-sender restrictions in place.

AML.T0006

Auth Bypass via SSO Invoke

Attacker sends a crafted Teams SSO invoke directly to the bot, which the handler processes without applying the sender allowlist check used for normal messages.

AML.T0049

Unauthorized Session Establishment

SSO flow completes and the attacker obtains an authenticated session with the openclaw agent as if they were an authorized sender.

AML.T0012

Agent Tool Abuse

Attacker leverages the established session to invoke agent tools — querying internal APIs, accessing connected data sources, or pivoting to systems the agent has permissions to reach.

AML.T0053

Target Identification

Attacker with Teams access identifies an openclaw bot deployed in a restricted channel or with denied-sender restrictions in place.

AML.T0006

Auth Bypass via SSO Invoke

Attacker sends a crafted Teams SSO invoke directly to the bot, which the handler processes without applying the sender allowlist check used for normal messages.

AML.T0049

Unauthorized Session Establishment

SSO flow completes and the attacker obtains an authenticated session with the openclaw agent as if they were an authorized sender.

AML.T0012

Agent Tool Abuse

Attacker leverages the established session to invoke agent tools — querying internal APIs, accessing connected data sources, or pivoting to systems the agent has permissions to reach.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	>= 2026.4.10, < 2026.4.14	`2026.4.14`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Patch immediately: upgrade openclaw to >= 2026.4.14. This routes SSO invoke handling through the standard Teams sender authorization path.
Audit sender allowlists in your Teams bot configuration — verify denied senders are correctly enumerated and that no entries were inadvertently processed during the affected window.
Review openclaw agent permission scope: apply least-privilege principles to all tool and API integrations the agent can invoke.
Check Teams bot activity logs for SSO invoke events from unexpected sender identities between 2026-04-10 and your patch date.
If immediate patching is not possible, consider temporarily disabling Teams SSO invoke functionality or restricting the bot to a private Teams channel with controlled membership as a compensating control.

How is it classified?

Auth Bypass Agent API AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0084 - Discover AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI roles and responsibilities A.9.1 - Access control for AI systems

NIST AI RMF

GOVERN 1.7 - Processes for decommissioning AI systems MANAGE 2.2 - Mechanisms to sustain deployed AI systems

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is GHSA-gc9r-867r-j85f?

The openclaw AI agent framework (npm) failed to apply sender allowlist checks to Microsoft Teams SSO invoke messages, allowing any Teams sender — including explicitly blocked parties — to trigger SSO authentication flows against the agent. While the CVSS score is unassigned and vendor-rated low, the actual risk scales with your openclaw deployment's permission scope: an agent with broad tool access or sensitive data exposure turns this auth bypass into a meaningful lateral movement vector within your Teams environment. The package has 135 previously disclosed CVEs, a pattern that signals sustained security debt rather than an isolated lapse. With no public exploits, no KEV listing, and only 4 downstream dependents, urgency is moderate — upgrade to openclaw 2026.4.14 immediately, then audit Teams channel sender configurations and review which tools your openclaw agent can invoke.

Is GHSA-gc9r-867r-j85f actively exploited?

No confirmed active exploitation of GHSA-gc9r-867r-j85f has been reported, but organizations should still patch proactively.

How to fix GHSA-gc9r-867r-j85f?

1. Patch immediately: upgrade openclaw to >= 2026.4.14. This routes SSO invoke handling through the standard Teams sender authorization path. 2. Audit sender allowlists in your Teams bot configuration — verify denied senders are correctly enumerated and that no entries were inadvertently processed during the affected window. 3. Review openclaw agent permission scope: apply least-privilege principles to all tool and API integrations the agent can invoke. 4. Check Teams bot activity logs for SSO invoke events from unexpected sender identities between 2026-04-10 and your patch date. 5. If immediate patching is not possible, consider temporarily disabling Teams SSO invoke functionality or restricting the bot to a private Teams channel with controlled membership as a compensating control.

What systems are affected by GHSA-gc9r-867r-j85f?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, Teams-integrated AI agents, enterprise chatbot deployments, SSO-gated agentic workflows.

What is the CVSS score for GHSA-gc9r-867r-j85f?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksTeams-integrated AI agentsenterprise chatbot deploymentsSSO-gated agentic workflows

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2, A.9.1

NIST AI RMF: GOVERN 1.7, MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

## Summary Microsoft Teams SSO invoke handler missed sender authorization checks. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.4.10 < 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact Microsoft Teams SSO signin invoke handling could process an invoke from a sender before applying the same sender allowlist checks used by normal message handling. ## Technical Details The fix routes SSO invoke handling through the Teams sender authorization path and adds coverage for denied senders. ## Fix The issue was fixed in #66033. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `80b1fa17bfc3f6a668492f0326ea52f48bb89776` - PR: #66033 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Exploitation Scenario

An attacker gains a foothold in the target organization's Microsoft Teams environment — either as a compromised legitimate user or as a guest account with limited permissions. The attacker identifies an openclaw AI agent bot deployed in a channel they cannot normally interact with due to sender allowlist restrictions. By crafting a direct Teams SSO invoke message to the bot (rather than a normal message), they bypass the allowlist check entirely. The bot processes the SSO flow as if the sender were authorized, granting the attacker an authenticated session with the agent. The attacker then leverages the agent's tool access — potentially querying internal APIs, retrieving documents from connected repositories, or pivoting to other internal systems the agent can reach — all while appearing to operate within a legitimate Teams SSO flow.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.