CVE-2026-34511 — HIGH AI Security Vulnerability

CISO Take

CVE-2026-34511 is an OAuth PKCE implementation flaw in OpenClaw (npm ≤ 2026.4.1) where the Gemini OAuth flow incorrectly reuses the PKCE verifier as the OAuth state parameter, causing it to be reflected in redirect URLs alongside the authorization code—defeating PKCE's core defense against authorization code interception. Any party who can observe the redirect URL—through server logs, referrer headers, browser history, shared reverse proxies, or a network-positioned attacker—can extract both values and redeem a valid OAuth token to fully impersonate the authenticated user. Although the raw EPSS score is low (0.00029), this vulnerability lands in the top 92nd percentile for exploitation likelihood, and OpenClaw's 13-CVE track record signals a persistent pattern of inadequate security maturity that warrants broad concern. Patch to version 2026.4.2 immediately; if patching is blocked, restrict access to redirect URL logs and monitor for OAuth token redemptions from unexpected IPs or outside normal session windows.

Sources: NVD GitHub Advisory EPSS ATLAS

Risk Assessment

Moderate-to-high risk for organizations using OpenClaw's Gemini OAuth integration. Exploitation requires visibility into redirect URLs, which is realistically achievable via server access logs, browser history leak, compromised infrastructure, or network interception—not exotic capabilities in enterprise environments. No public exploits exist and the CVE is absent from CISA KEV, reducing immediate urgency, but the structural nature of the flaw means all deployments on affected versions are persistently vulnerable until patched. The 13-CVE history of this package justifies a broader security review of OpenClaw's authentication subsystem beyond this single fix.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	<= 2026.4.1	`2026.4.2`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.0%

chance of exploitation in 30 days

Higher than 8% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Patch: Upgrade the openclaw npm package to >= 2026.4.2 immediately. Fix commit a26f4d0f separates OAuth state from the PKCE verifier.
Scope: Confirm whether your deployment uses the Gemini OAuth flow specifically—other provider flows may not be affected.
Detect: Audit OAuth token issuance logs for tokens redeemed from unexpected source IPs or outside normal user session windows.
Rotate: Proactively invalidate and reissue all active OAuth tokens for affected deployments as a precaution.
Harden: Ensure redirect URIs are registered to HTTPS-only endpoints, and enforce access controls on server-side logs that capture redirect URLs.

Classification

Auth Bypass Data Extraction Agent API AML.T0012 - Valid Accounts AML.T0055 - Unsecured Credentials AML.T0091.000 - Application Access Token AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

A.6.2 - Access Control

NIST AI RMF

GOVERN 1.2 - Policies and procedures for AI risk management

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Technical Details

NVD Description

## Summary Before OpenClaw 2026.4.2, the Gemini OAuth flow reused the PKCE verifier as the OAuth `state` value. Because the provider reflected `state` back in the redirect URL, the verifier could be exposed alongside the authorization code. ## Impact Anyone who could capture the redirect URL could learn both the authorization code and the PKCE verifier, defeating PKCE's interception protection for that flow and enabling token redemption. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `a26f4d0f3ef0757db6c6c40277cc06a5de76c52f` — separate OAuth state from the PKCE verifier OpenClaw thanks @BG0ECV for reporting.

Exploitation Scenario

An attacker targets an organization running an OpenClaw-based AI agent deployment. During a legitimate user's Gemini OAuth authentication, the attacker captures the redirect URL via a compromised reverse proxy, server access log exfiltration, or a browser-based attack. Because the vulnerable implementation sets state equal to the PKCE verifier, the URL contains both the authorization code and the verifier in plaintext. The attacker submits the authorization code and the verifier to the token endpoint—successfully bypassing PKCE's interception protection—and obtains a valid OAuth access token. With this token, the attacker authenticates as the victim, invokes agent tools, accesses conversation history, and potentially pivots to any service the agent is authorized to reach.