CVE-2026-35654: OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback

March 29, 2026 (updated April 10, 2026)

MS Teams Feedback Invoke Bypasses Sender Allowlists and Records Unauthorized Session Feedback

References

github.com/advisories/GHSA-rf6h-5gpw-qrgq
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/c5415a474bb085404c20f8b312e436997977b1ea
github.com/openclaw/openclaw/security/advisories/GHSA-rf6h-5gpw-qrgq
nvd.nist.gov/vuln/detail/CVE-2026-35654

Code Behaviors & Features

Detect and mitigate CVE-2026-35654 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →