Description

OpenClaw versions prior to 2026.2.22 fail to consistently validate redirect chains against configured mediaAllowHosts allowlists during MSTeams media downloads. Attackers can supply or influence attachment URLs to force redirects to non-allowlisted targets, bypassing SSRF boundary controls.

INFO

Published Date :

2026-03-19T22:07:11.641Z

Last Modified :

2026-03-20T18:09:42.171Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32037 vulnerability.

Vendors Products
Openclaw
  • Openclaw
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32037.

URL Resource
https://github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5c cve-icon cve-icon
https://github.com/openclaw/openclaw/commit/b34097f62df9d1960cc22600269cd3f3284e2124 cve-icon cve-icon
https://github.com/openclaw/openclaw/security/advisories/GHSA-w76h-8m22-hpgh cve-icon cve-icon
https://www.vulncheck.com/advisories/openclaw-redirect-chain-bypass-of-media-host-allowlist-in-msteams-attachment-handling cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact