{"id":"GHSA-9jpj-g8vv-j5mf","summary":"OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter","details":"## Summary\n\nBefore OpenClaw 2026.4.2, the Gemini OAuth flow reused the PKCE verifier as the OAuth `state` value. Because the provider reflected `state` back in the redirect URL, the verifier could be exposed alongside the authorization code.\n\n## Impact\n\nAnyone who could capture the redirect URL could learn both the authorization code and the PKCE verifier, defeating PKCE's interception protection for that flow and enabling token redemption.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.4.1`\n- Patched versions: `\u003e= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `a26f4d0f3ef0757db6c6c40277cc06a5de76c52f` — separate OAuth state from the PKCE verifier\n\nOpenClaw thanks @BG0ECV for reporting.","aliases":["CVE-2026-34511"],"modified":"2026-04-07T14:35:45.361838Z","published":"2026-04-04T06:26:55Z","database_specific":{"severity":"HIGH","github_reviewed":true,"cwe_ids":["CWE-345"],"nvd_published_at":null,"github_reviewed_at":"2026-04-04T06:26:55Z"},"references":[{"type":"WEB","url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34511"},{"type":"WEB","url":"https://github.com/openclaw/openclaw/commit/a26f4d0f3ef0757db6c6c40277cc06a5de76c52f"},{"type":"PACKAGE","url":"https://github.com/openclaw/openclaw"},{"type":"WEB","url":"https://www.vulncheck.com/advisories/openclaw-pkce-verifier-exposure-via-oauth-state-parameter"}],"affected":[{"package":{"name":"openclaw","ecosystem":"npm","purl":"pkg:npm/openclaw"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2026.4.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-9jpj-g8vv-j5mf/GHSA-9jpj-g8vv-j5mf.json","last_known_affected_version_range":"\u003c= 2026.4.1"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N"}]}