GHSA-RF6H-5GPW-QRGQ: Authorization Bypass in OpenClaw Microsoft Teams Extension via Invoke Activities

The OpenClaw artificial intelligence framework provides a Microsoft Teams extension (extensions/msteams) to facilitate interactions between users and AI agents. This extension relies on specific security controls, primarily dmPolicy, allowFrom, and groupAllowFrom, to restrict which users possess authorization to interact with the bot.

The application correctly applies these authorization checks to standard text messages arriving through the primary ActivityType.Message pathway. A critical oversight occurs when processing secondary interaction methods, specifically invoke activities generated by user interface components.

This discrepancy introduces an Incorrect Authorization (CWE-863) vulnerability, documented as GHSA-RF6H-5GPW-QRGQ. Unauthenticated or unauthorized users can bypass the primary allowlist mechanism and interact directly with the agent's feedback system, regardless of network position or policy configuration.

The vulnerability originates from the asynchronous handling mechanisms within the MSTeamsActivityHandler class. When the Microsoft Teams platform sends an event to the bot framework, the incoming payload includes an activity type parameter that determines the subsequent processing route inside the application.

Standard user messages (ActivityType.Message) traverse a dedicated authorization middleware that validates the sender against the configured allowFrom list. If the sender identifier is absent from this list, the middleware immediately rejects the request and halts further context processing.

Interactions with adaptive cards, such as "Like" or "Dislike" feedback buttons, generate an invoke activity with the specific name message/submitAction. The code path responsible for handling these invoke events lacked the required calls to the authorization middleware, leaving the application entirely dependent on the client to govern request legitimacy.

Prior to the patch, the application processed feedback invocation events without verifying the sender's origin against the dmPolicy or groupPolicy. The handler simply parsed the incoming invoke payload and recorded the embedded feedback directly into the corresponding .jsonl session context.

Commit c5415a474bb085404c20f8b312e436997977b1ea resolves this architectural flaw by centralizing the authorization logic. The patch introduces a shared utility function named resolveMSTeamsSenderAccess to ensure consistent validation logic applies across all activity types.

The remediation modifies extensions/msteams/src/monitor-handler.ts by introducing the isFeedbackInvokeAuthorized asynchronous function. This function explicitly evaluates the sender access decision before allowing the feedback processing logic to proceed.

// Post-patch extensions/msteams/src/monitor-handler.ts
async function isFeedbackInvokeAuthorized(
  context: MSTeamsTurnContext,
  deps: MSTeamsMessageHandlerDeps,
): Promise<boolean> {
  const resolved = await resolveMSTeamsSenderAccess({
    cfg: deps.cfg,
    activity: context.activity,
  });
 
  // Access control validation check
  if (isDirectMessage && resolved.access.decision !== "allow") {
    deps.log.debug?.("dropping feedback invoke (dm sender not allowlisted)", {
      sender: senderId,
      conversationId,
    });
    return false;
  }
  return true;
}

Exploitation requires an attacker to transmit a crafted HTTP request representing an invoke activity directly to the Microsoft Teams bot endpoint. The attacker must specify message/submitAction as the invoke name and embed the desired feedback payload within the request body.

The attacker must possess knowledge of a valid active session identifier, or the application configuration must allow the creation of new session contexts upon receiving unprompted feedback. The provided test suite monitor-handler.feedback-authz.test.ts demonstrates this exact vector by simulating an attacker-aad sender identity omitted from the allowFrom list.

Successful exploitation allows the attacker to inject arbitrary data into the .jsonl session files utilized by the OpenClaw agent. If the framework is configured to execute "feedback reflection", this manipulated data forces the agent to perform unauthorized downstream tasks or generate specific responses based on the fabricated feedback.

Administrators must update the OpenClaw framework to a version released after March 26, 2026, incorporating commit c5415a474bb085404c20f8b312e436997977b1ea. This update ensures the proper authorization gating applies to all Microsoft Teams activity types.

Security teams should review historical .jsonl session records for indications of exploitation. Anomalous feedback entries associated with unrecognized Microsoft Teams sender identifiers signify potential unauthorized manipulation of the AI agent's context.

Administrators must verify the channel configuration sets dmPolicy to allowlist and maintains accurate entries in the allowFrom array. Strict management of these lists prevents unauthorized entity interactions and restricts the attack surface exclusively to explicitly trusted user identities.