CVE-2026-32037

OpenClaw versions prior to 2026.2.22 fail to consistently validate redirect chains against configured mediaAllowHosts allowlists during MSTeams media downloads. Attackers can supply or influence attachment URLs to force redirects to non-allowlisted targets, bypassing SSRF boundary controls.

CVSS v3 6.0 MEDIUM

6.0^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5c	Patch
https://github.com/openclaw/openclaw/commit/b34097f62df9d1960cc22600269cd3f3284e2124	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-w76h-8m22-hpgh	Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-redirect-chain-bypass-of-media-host-allowlist-in-msteams-attachment-handling	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

23 Mar 2026, 17:15

Type	Values Removed	Values Added
First Time		Openclaw openclaw Openclaw
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*
Summary		(es) Las versiones de OpenClaw anteriores a la 2026.2.22 no validan consistentemente las cadenas de redirección contra las listas de permitidos de `mediaAllowHosts` configuradas durante las descargas de medios de MSTeams. Los atacantes pueden proporcionar o influir en las URL de los archivos adjuntos para forzar redirecciones a objetivos no incluidos en la lista de permitidos, eludiendo los controles de límite de SSRF.
References	~~() https://github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5c -~~	() https://github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5c - Patch
References	~~() https://github.com/openclaw/openclaw/commit/b34097f62df9d1960cc22600269cd3f3284e2124 -~~	() https://github.com/openclaw/openclaw/commit/b34097f62df9d1960cc22600269cd3f3284e2124 - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-w76h-8m22-hpgh -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-w76h-8m22-hpgh - Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-redirect-chain-bypass-of-media-host-allowlist-in-msteams-attachment-handling -~~	() https://www.vulncheck.com/advisories/openclaw-redirect-chain-bypass-of-media-host-allowlist-in-msteams-attachment-handling - Third Party Advisory

19 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 22:16

Updated : 2026-03-23 17:15

NVD link : CVE-2026-32037

Mitre link : CVE-2026-32037

CVE.ORG link : CVE-2026-32037

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-918

Server-Side Request Forgery (SSRF)

6.0 /10