Vulnerability Description
OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams attachment downloader (optional extension must be enabled) that leaks bearer tokens to allowlisted suffix domains. When retrying downloads after receiving 401 or 403 responses, the application sends Authorization bearer tokens to untrusted hosts matching the permissive suffix-based allowlist, enabling token theft.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | <= 2026.1.30 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/41cc5bcd4f1d434ad1bbdfa55b56f25025ecPatch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-7vwx-582j-j332Vendor Advisory
- https://www.vulncheck.com/advisories/openclaw-bearer-token-leakage-via-ms-teams-Third Party Advisory
FAQ
What is CVE-2026-28481?
CVE-2026-28481 is a vulnerability with a CVSS score of 6.5 (MEDIUM). OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams attachment downloader (optional extension must be enabled) that leaks bea...
How severe is CVE-2026-28481?
CVE-2026-28481 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-28481?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.