Cyber Resilience

CVE-2026-28481

MediumPublic PoC

Published: 05 March 2026

Published
05 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v4 5.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 13.1th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28481 is a medium-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Openclaw Openclaw. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-28481 is an information disclosure vulnerability (CWE-201) affecting OpenClaw versions 2026.1.30 and earlier, with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). The issue resides in the optional MS Teams attachment downloader extension, which must be explicitly enabled. When the downloader retries failed attachment fetches after receiving HTTP 401 or 403 responses, it erroneously sends Authorization bearer tokens to untrusted hosts that match a permissive suffix-based allowlist, enabling potential token exfiltration.

Attackers can exploit this vulnerability remotely without privileges by tricking a user into attempting to download an MS Teams attachment from a malicious domain that matches the application's suffix allowlist. User interaction is required, such as clicking a link or triggering the downloader. Successful exploitation allows the attacker to capture the leaked bearer tokens, which could grant unauthorized access to the victim's MS Teams resources or associated services depending on the token's scope.

The vulnerability has been patched in OpenClaw version 2026.2.1, as detailed in the project's GitHub commit (41cc5bcd4f1d434ad1bbdfa55b56f25025ecbf6b), security advisory (GHSA-7vwx-582j-j332), and VulnCheck analysis. Security practitioners should advise users to update to the fixed version immediately and consider disabling the MS Teams attachment downloader extension if not needed, pending patch deployment.

EU & UK References

Vulnerability details

OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams attachment downloader (optional extension must be enabled) that leaks bearer tokens to allowlisted suffix domains. When retrying downloads after receiving 401 or 403…

more

responses, the application sends Authorization bearer tokens to untrusted hosts matching the permissive suffix-based allowlist, enabling token theft.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Why these techniques?

The vulnerability directly causes bearer token exfiltration to attacker-controlled hosts matching the permissive allowlist during attachment download retries, enabling theft of application access tokens for MS Teams.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32913Same product: Openclaw Openclaw
CVE-2026-32982Same product: Openclaw Openclaw
CVE-2026-28464Same product: Openclaw Openclaw
CVE-2026-25253Same product: Openclaw Openclaw
CVE-2026-41299Same product: Openclaw Openclaw
CVE-2026-41912Same product: Openclaw Openclaw
CVE-2026-44110Same product: Openclaw Openclaw
CVE-2026-41378Same product: Openclaw Openclaw
CVE-2026-44116Same product: Openclaw Openclaw
CVE-2026-32988Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.1.30

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces information flow rules that would block bearer tokens from being sent to untrusted hosts outside the intended MS Teams domains.

prevent

Enforces access control decisions on credential transmission, preventing the downloader from attaching Authorization headers to requests matching only a permissive suffix allowlist.

prevent

Filters sensitive output (bearer tokens) before transmission during retry logic after 401/403 responses.

References