OpenClaw's Microsoft Teams integration received a targeted security hardening pass today with the merge of PR #65841 by @steipete. The change closes four distinct vulnerabilities in the Teams extension, covering injection, server-side request forgery, and privilege escalation vectors — all verified correct with a 5/5 confidence rating from Greptile's automated review.
What Was Fixed
OData User-ID Injection
The first fix addresses how user identifiers were passed into OData query strings inside the Teams extension. Without proper sanitization, a crafted user ID could manipulate the query structure and potentially leak or corrupt directory lookups. The patch ensures IDs are escaped before they reach the API layer.
Arbitrary Conversation-Member Role Values
The second vulnerability allowed unvalidated role values to be submitted when modifying conversation members. In practice this meant an attacker with appropriate channel access could attempt to escalate privileges by supplying unexpected role strings. The fix validates roles against an allowlist before they are forwarded to the Graph API.
SSRF via Private-IP DNS Bypass in Attachment Fetches
The third — and arguably most impactful — fix targets server-side request forgery in Teams attachment downloads. The extension fetches media attachments on behalf of users, and the previous implementation could be coerced into resolving and connecting to private IP ranges by supplying an attachment URL that DNS-resolved to an internal address.
The patch introduces a resolveFn parameter throughout shared.ts, defaulting to Node's built-in lookup, and validates the resolved IP against a blocklist before any HTTP connection is made. This ensures the SSRF guard runs on every fetch path, including redirects.
resolveAndValidateIP(initialHost, resolveFn)
The fix mirrors the approach already taken in attachments.test.ts and brings bot-framework.ts into alignment.
Shell Injection in Delegated OAuth URL Opener
The fourth fix hardens the delegated OAuth flow used when Teams prompts for sign-in. The previous implementation passed the callback URL to a shell opener without sufficient escaping, creating a shell injection risk if the URL contained metacharacters. The updated code sanitizes the URL before it reaches the shell layer.
Why It Matters
Microsoft Teams is one of OpenClaw's most widely deployed enterprise channels, often running in environments where the gateway has access to internal networks and sensitive API credentials. SSRF vulnerabilities in this context are particularly dangerous because a gateway sitting inside a corporate perimeter can reach internal services that external attackers cannot.
The Greptile review flagged two minor follow-up items — dead if (resolveFn) guards in shared.ts that are now always truthy, and missing resolveFn mocks in bot-framework.test.ts that could cause test failures in air-gapped CI environments. Neither affects runtime security, but both are worth cleaning up in a follow-on PR.
Updating Your Installation
If you are running OpenClaw with the Microsoft Teams channel enabled, upgrade as soon as the next release ships. You can track when these fixes land in a tagged release on the GitHub releases page. No configuration changes are required — the fixes are internal to the attachment and auth flows.
npm install -g openclaw@latest
openclaw gateway restart
These fixes were contributed by @steipete and are consistent with OpenClaw's recent trend of AI-assisted security hardening across channel extensions.