GHSA-w76h-8m22-hpgh: OpenClaw's MSTeams attachment redirect handling could bypass configured media host allowlists

March 3, 2026

In OpenClaw MSTeams media download flows, redirect handling could bypass configured mediaAllowHosts checks in specific attachment paths. Redirect chains were not consistently constrained to allowlisted targets before accepting fetched content.

References

github.com/advisories/GHSA-w76h-8m22-hpgh
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5c
github.com/openclaw/openclaw/commit/b34097f62df9d1960cc22600269cd3f3284e2124
github.com/openclaw/openclaw/security/advisories/GHSA-w76h-8m22-hpgh

Code Behaviors & Features

Detect and mitigate GHSA-w76h-8m22-hpgh with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →