CVE-2026-34511
MEDIUMOpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter
Title source: cnaDescription
OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-9jpj-g8vv-j5mf)
https://github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/a26f4d0f3ef0757db6c6c40277cc06a5de76c52f
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/openclaw-pkce-verifier-exposure-via-oauth-state-parameter
Scores
CVSS v3
5.3
EPSS
0.0024
EPSS Percentile
14.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-330
Status
published
Products (4)
npm/openclaw
0 - 2026.4.2npm
OpenClaw/OpenClaw
< 2026.4.2
openclaw/openclaw
< 2026.4.2
OpenClaw/OpenClaw
2026.4.2
Published
Apr 03, 2026
Tracked Since
Apr 04, 2026