GHSA-ch86-pxr9-j9h9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-ch86-pxr9-j9h9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-ch86-pxr9-j9h9/GHSA-ch86-pxr9-j9h9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-ch86-pxr9-j9h9
- Withdrawn
- 2026-04-07T14:24:10Z
- Published
- 2026-04-03T21:31:43Z
- Modified
- 2026-04-07T14:35:38.649892Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
- 6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- Duplicate Advisory: OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter
- Details
-
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-9jpj-g8vv-j5mf. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption.
- Database specific
{ "github_reviewed_at": "2026-04-07T14:24:10Z", "nvd_published_at": "2026-04-03T21:17:11Z", "cwe_ids": [ "CWE-330" ], "severity": "MODERATE", "github_reviewed": true }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf
- https://nvd.nist.gov/vuln/detail/CVE-2026-34511
- https://github.com/openclaw/openclaw/commit/a26f4d0f3ef0757db6c6c40277cc06a5de76c52f
- https://www.vulncheck.com/advisories/openclaw-pkce-verifier-exposure-via-oauth-state-parameter
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw