CVE-2026-34511 is an OAuth PKCE implementation flaw in OpenClaw (npm ≤ 2026.4.1) where the Gemini OAuth flow incorrectly reuses the PKCE verifier as the OAuth state parameter, causing it to be reflected in redirect URLs alongside the authorization code—defeating PKCE's core defense against authorization code interception. Any party who can observe the redirect URL—through server logs, referrer headers, browser history, shared reverse proxies, or a network-positioned attacker—can extract both values and redeem a valid OAuth token to fully impersonate the authenticated user. Although the raw EPSS score is low (0.00029), this vulnerability lands in the top 92nd percentile for exploitation likelihood, and OpenClaw's 13-CVE track record signals a persistent pattern of inadequate security maturity that warrants broad concern. Patch to version 2026.4.2 immediately; if patching is blocked, restrict access to redirect URL logs and monitor for OAuth token redemptions from unexpected IPs or outside normal session windows.
What is the risk?
Moderate-to-high risk for organizations using OpenClaw's Gemini OAuth integration. Exploitation requires visibility into redirect URLs, which is realistically achievable via server access logs, browser history leak, compromised infrastructure, or network interception—not exotic capabilities in enterprise environments. No public exploits exist and the CVE is absent from CISA KEV, reducing immediate urgency, but the structural nature of the flaw means all deployments on affected versions are persistently vulnerable until patched. The 13-CVE history of this package justifies a broader security review of OpenClaw's authentication subsystem beyond this single fix.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | <= 2026.4.1 | 2026.4.2 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
5 steps-
Patch: Upgrade the openclaw npm package to >= 2026.4.2 immediately. Fix commit a26f4d0f separates OAuth state from the PKCE verifier.
-
Scope: Confirm whether your deployment uses the Gemini OAuth flow specifically—other provider flows may not be affected.
-
Detect: Audit OAuth token issuance logs for tokens redeemed from unexpected source IPs or outside normal user session windows.
-
Rotate: Proactively invalidate and reissue all active OAuth tokens for affected deployments as a precaution.
-
Harden: Ensure redirect URIs are registered to HTTPS-only endpoints, and enforce access controls on server-side logs that capture redirect URLs.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-34511?
CVE-2026-34511 is an OAuth PKCE implementation flaw in OpenClaw (npm ≤ 2026.4.1) where the Gemini OAuth flow incorrectly reuses the PKCE verifier as the OAuth state parameter, causing it to be reflected in redirect URLs alongside the authorization code—defeating PKCE's core defense against authorization code interception. Any party who can observe the redirect URL—through server logs, referrer headers, browser history, shared reverse proxies, or a network-positioned attacker—can extract both values and redeem a valid OAuth token to fully impersonate the authenticated user. Although the raw EPSS score is low (0.00029), this vulnerability lands in the top 92nd percentile for exploitation likelihood, and OpenClaw's 13-CVE track record signals a persistent pattern of inadequate security maturity that warrants broad concern. Patch to version 2026.4.2 immediately; if patching is blocked, restrict access to redirect URL logs and monitor for OAuth token redemptions from unexpected IPs or outside normal session windows.
Is CVE-2026-34511 actively exploited?
No confirmed active exploitation of CVE-2026-34511 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-34511?
1. Patch: Upgrade the openclaw npm package to >= 2026.4.2 immediately. Fix commit a26f4d0f separates OAuth state from the PKCE verifier. 2. Scope: Confirm whether your deployment uses the Gemini OAuth flow specifically—other provider flows may not be affected. 3. Detect: Audit OAuth token issuance logs for tokens redeemed from unexpected source IPs or outside normal user session windows. 4. Rotate: Proactively invalidate and reissue all active OAuth tokens for affected deployments as a precaution. 5. Harden: Ensure redirect URIs are registered to HTTPS-only endpoints, and enforce access controls on server-side logs that capture redirect URLs.
What systems are affected by CVE-2026-34511?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM API integrations, AI agent OAuth integrations.
What is the CVSS score for CVE-2026-34511?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0055 Unsecured Credentials AML.T0091.000 Application Access Token AML.T0106 Exploitation for Credential Access Compliance Controls Affected
What are the technical details?
Original Advisory
## Summary Before OpenClaw 2026.4.2, the Gemini OAuth flow reused the PKCE verifier as the OAuth `state` value. Because the provider reflected `state` back in the redirect URL, the verifier could be exposed alongside the authorization code. ## Impact Anyone who could capture the redirect URL could learn both the authorization code and the PKCE verifier, defeating PKCE's interception protection for that flow and enabling token redemption. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `a26f4d0f3ef0757db6c6c40277cc06a5de76c52f` — separate OAuth state from the PKCE verifier OpenClaw thanks @BG0ECV for reporting.
Exploitation Scenario
An attacker targets an organization running an OpenClaw-based AI agent deployment. During a legitimate user's Gemini OAuth authentication, the attacker captures the redirect URL via a compromised reverse proxy, server access log exfiltration, or a browser-based attack. Because the vulnerable implementation sets state equal to the PKCE verifier, the URL contains both the authorization code and the verifier in plaintext. The attacker submits the authorization code and the verifier to the token endpoint—successfully bypassing PKCE's interception protection—and obtains a valid OAuth access token. With this token, the attacker authenticates as the victim, invokes agent tools, accesses conversation history, and potentially pivots to any service the agent is authorized to reach.
Weaknesses (CWE)
CWE-345 — Insufficient Verification of Data Authenticity: The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Source: MITRE CWE corpus.
References
- github.com/advisories/GHSA-9jpj-g8vv-j5mf
- github.com/openclaw/openclaw/commit/a26f4d0f3ef0757db6c6c40277cc06a5de76c52f
- github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf
- nvd.nist.gov/vuln/detail/CVE-2026-34511
- vulncheck.com/advisories/openclaw-pkce-verifier-exposure-via-oauth-state-parameter
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw