CVE-2026-34511: PKCE Verifier Exposure via OAuth State Parameter in OpenClaw
Vulnerability ID: GHSA-9JPJ-G8VV-J5MF
CVSS Score: 6.0
Published: 2026-04-04
OpenClaw versions prior to 2026.4.2 contain a security parameter isolation violation in the Gemini OAuth flow. The application incorrectly reuses the PKCE code_verifier as the value for the OAuth state parameter, exposing the secret verifier in plaintext via the redirect URI and defeating PKCE protections.
TL;DR
The OpenClaw Gemini extension leaks the PKCE code_verifier by assigning it to the OAuth state parameter. Attackers who intercept the redirect URI can perform an authorization code exchange and obtain user access tokens.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-1259, CWE-330, CWE-200
- Attack Vector: Network
- CVSS v4.0 Score: 6.0
- CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
- Impact: High Confidentiality
- Exploit Status: poc
- KEV Status: Not Listed
Affected Systems
- OpenClaw Google/Gemini Extension
-
OpenClaw: < 2026.4.2 (Fixed in:
2026.4.2)
Code Analysis
Commit: a26f4d0
Fix PKCE verifier exposure via OAuth state parameter
Exploit Details
- Context Research: Theoretical attack methodology detailed in advisory
Mitigation Strategies
- Upgrade OpenClaw to version 2026.4.2 or higher.
- Revoke existing Google OAuth grants for the OpenClaw application.
- Implement strict parameter isolation in custom OAuth flows.
- Utilize CSPRNGs for all distinct cryptographic nonces and state variables.
Remediation Steps:
- Pull the latest version of OpenClaw (
>= 2026.4.2) from the repository or package manager. - Deploy the updated version to the host environment.
- Navigate to the Google Account Security settings.
- Revoke third-party access for the OpenClaw application.
- Re-authenticate within the updated OpenClaw application to generate new, secure tokens.
References
- GitHub Security Advisory GHSA-9JPJ-G8VV-J5MF
- Fix Commit a26f4d0f3ef0757db6c6c40277cc06a5de76c52f
- VulnCheck Advisory for OpenClaw
- CveOrg Record CVE-2026-34511
Read the full report for GHSA-9JPJ-G8VV-J5MF on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)