CVE-2026-32037

low

Description

OpenClaw versions prior to 2026.2.22 fail to consistently validate redirect chains against configured mediaAllowHosts allowlists during MSTeams media downloads. Attackers can supply or influence attachment URLs to force redirects to non-allowlisted targets, bypassing SSRF boundary controls.

References

https://www.vulncheck.com/advisories/openclaw-redirect-chain-bypass-of-media-host-allowlist-in-msteams-attachment-handling

https://github.com/openclaw/openclaw/security/advisories/GHSA-w76h-8m22-hpgh

https://github.com/openclaw/openclaw/commit/b34097f62df9d1960cc22600269cd3f3284e2124

https://github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5c

Details

Source: Mitre, NVD

Published: 2026-03-19

Updated: 2026-03-23

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Severity: Medium

CVSS v4

Base Score: 2.3

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

Severity: Low

EPSS

EPSS: 0.00036