CVE-2026-32037: OpenClaw's MSTeams attachment redirect handling could bypass configured media host allowlists
(updated )
In OpenClaw MSTeams media download flows, redirect handling could bypass configured mediaAllowHosts checks in specific attachment paths. Redirect chains were not consistently constrained to allowlisted targets before accepting fetched content.
References
- github.com/advisories/GHSA-w76h-8m22-hpgh
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5c
- github.com/openclaw/openclaw/commit/b34097f62df9d1960cc22600269cd3f3284e2124
- github.com/openclaw/openclaw/security/advisories/GHSA-w76h-8m22-hpgh
- nvd.nist.gov/vuln/detail/CVE-2026-32037
- www.vulncheck.com/advisories/openclaw-redirect-chain-bypass-of-media-host-allowlist-in-msteams-attachment-handling
Code Behaviors & Features
Detect and mitigate CVE-2026-32037 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →