OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter | Advisories

Advisories

OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter

severity: medium
date: 4/3/2026
Affecting: OpenClaw < 2026.4.2
CVE: CVE-2026-34511
CWE: CWE-330 Use of Insufficiently Random Values
CVSS: 6
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References: GitHub Security Advisory (GHSA-9jpj-g8vv-j5mf)
Patch Commit
Credit: RaaX
Description: OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo