CVE-2026-28481
Published: 05 March 2026
Summary
CVE-2026-28481 is a medium-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Openclaw Openclaw. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Embedding taints allows detection when sensitive data is inserted into outbound or sent data streams.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly causes bearer token exfiltration to attacker-controlled hosts matching the permissive allowlist during attachment download retries, enabling theft of application access tokens for MS Teams.
NVD Description
OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams attachment downloader (optional extension must be enabled) that leaks bearer tokens to allowlisted suffix domains. When retrying downloads after receiving 401 or 403…
more
responses, the application sends Authorization bearer tokens to untrusted hosts matching the permissive suffix-based allowlist, enabling token theft.
Deeper analysisAI
CVE-2026-28481 is an information disclosure vulnerability (CWE-201) affecting OpenClaw versions 2026.1.30 and earlier, with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). The issue resides in the optional MS Teams attachment downloader extension, which must be explicitly enabled. When the downloader retries failed attachment fetches after receiving HTTP 401 or 403 responses, it erroneously sends Authorization bearer tokens to untrusted hosts that match a permissive suffix-based allowlist, enabling potential token exfiltration.
Attackers can exploit this vulnerability remotely without privileges by tricking a user into attempting to download an MS Teams attachment from a malicious domain that matches the application's suffix allowlist. User interaction is required, such as clicking a link or triggering the downloader. Successful exploitation allows the attacker to capture the leaked bearer tokens, which could grant unauthorized access to the victim's MS Teams resources or associated services depending on the token's scope.
The vulnerability has been patched in OpenClaw version 2026.2.1, as detailed in the project's GitHub commit (41cc5bcd4f1d434ad1bbdfa55b56f25025ecbf6b), security advisory (GHSA-7vwx-582j-j332), and VulnCheck analysis. Security practitioners should advise users to update to the fixed version immediately and consider disabling the MS Teams attachment downloader extension if not needed, pending patch deployment.
Details
- CWE(s)