AI Threat Alert

CVE-2026-34511: OpenClaw: PKCE verifier leak enables OAuth token theft

GHSA-9jpj-g8vv-j5mf HIGH
Published April 4, 2026
CISO Take

CVE-2026-34511 is an OAuth PKCE implementation flaw in OpenClaw (npm ≤ 2026.4.1) where the Gemini OAuth flow incorrectly reuses the PKCE verifier as the OAuth state parameter, causing it to be reflected in redirect URLs alongside the authorization code—defeating PKCE's core defense against authorization code interception. Any party who can observe the redirect URL—through server logs, referrer headers, browser history, shared reverse proxies, or a network-positioned attacker—can extract both values and redeem a valid OAuth token to fully impersonate the authenticated user. Although the raw EPSS score is low (0.00029), this vulnerability lands in the top 92nd percentile for exploitation likelihood, and OpenClaw's 13-CVE track record signals a persistent pattern of inadequate security maturity that warrants broad concern. Patch to version 2026.4.2 immediately; if patching is blocked, restrict access to redirect URL logs and monitor for OAuth token redemptions from unexpected IPs or outside normal session windows.

Sources: NVD GitHub Advisory EPSS ATLAS

What is the risk?

Moderate-to-high risk for organizations using OpenClaw's Gemini OAuth integration. Exploitation requires visibility into redirect URLs, which is realistically achievable via server access logs, browser history leak, compromised infrastructure, or network interception—not exotic capabilities in enterprise environments. No public exploits exist and the CVE is absent from CISA KEV, reducing immediate urgency, but the structural nature of the flaw means all deployments on affected versions are persistently vulnerable until patched. The 13-CVE history of this package justifies a broader security review of OpenClaw's authentication subsystem beyond this single fix.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
openclaw npm <= 2026.4.1 2026.4.2
4 dependents 91% patched ~0d to patch Full package profile →

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
0.0%
chance of exploitation in 30 days
Higher than 11% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What should I do?

5 steps

  1. Patch: Upgrade the openclaw npm package to >= 2026.4.2 immediately. Fix commit a26f4d0f separates OAuth state from the PKCE verifier.

  2. Scope: Confirm whether your deployment uses the Gemini OAuth flow specifically—other provider flows may not be affected.

  3. Detect: Audit OAuth token issuance logs for tokens redeemed from unexpected source IPs or outside normal user session windows.

  4. Rotate: Proactively invalidate and reissue all active OAuth tokens for affected deployments as a precaution.

  5. Harden: Ensure redirect URIs are registered to HTTPS-only endpoints, and enforce access controls on server-side logs that capture redirect URLs.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Agent API AML.T0012 AML.T0055 AML.T0091.000 AML.T0106

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 9 - Risk Management System
ISO 42001
A.6.2 - Access Control
NIST AI RMF
GOVERN 1.2 - Policies and procedures for AI risk management
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-34511?

CVE-2026-34511 is an OAuth PKCE implementation flaw in OpenClaw (npm ≤ 2026.4.1) where the Gemini OAuth flow incorrectly reuses the PKCE verifier as the OAuth state parameter, causing it to be reflected in redirect URLs alongside the authorization code—defeating PKCE's core defense against authorization code interception. Any party who can observe the redirect URL—through server logs, referrer headers, browser history, shared reverse proxies, or a network-positioned attacker—can extract both values and redeem a valid OAuth token to fully impersonate the authenticated user. Although the raw EPSS score is low (0.00029), this vulnerability lands in the top 92nd percentile for exploitation likelihood, and OpenClaw's 13-CVE track record signals a persistent pattern of inadequate security maturity that warrants broad concern. Patch to version 2026.4.2 immediately; if patching is blocked, restrict access to redirect URL logs and monitor for OAuth token redemptions from unexpected IPs or outside normal session windows.

Is CVE-2026-34511 actively exploited?

No confirmed active exploitation of CVE-2026-34511 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34511?

1. Patch: Upgrade the openclaw npm package to >= 2026.4.2 immediately. Fix commit a26f4d0f separates OAuth state from the PKCE verifier. 2. Scope: Confirm whether your deployment uses the Gemini OAuth flow specifically—other provider flows may not be affected. 3. Detect: Audit OAuth token issuance logs for tokens redeemed from unexpected source IPs or outside normal user session windows. 4. Rotate: Proactively invalidate and reissue all active OAuth tokens for affected deployments as a precaution. 5. Harden: Ensure redirect URIs are registered to HTTPS-only endpoints, and enforce access controls on server-side logs that capture redirect URLs.

What systems are affected by CVE-2026-34511?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM API integrations, AI agent OAuth integrations.

What is the CVSS score for CVE-2026-34511?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Summary Before OpenClaw 2026.4.2, the Gemini OAuth flow reused the PKCE verifier as the OAuth `state` value. Because the provider reflected `state` back in the redirect URL, the verifier could be exposed alongside the authorization code. ## Impact Anyone who could capture the redirect URL could learn both the authorization code and the PKCE verifier, defeating PKCE's interception protection for that flow and enabling token redemption. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `a26f4d0f3ef0757db6c6c40277cc06a5de76c52f` — separate OAuth state from the PKCE verifier OpenClaw thanks @BG0ECV for reporting.

Exploitation Scenario

An attacker targets an organization running an OpenClaw-based AI agent deployment. During a legitimate user's Gemini OAuth authentication, the attacker captures the redirect URL via a compromised reverse proxy, server access log exfiltration, or a browser-based attack. Because the vulnerable implementation sets state equal to the PKCE verifier, the URL contains both the authorization code and the verifier in plaintext. The attacker submits the authorization code and the verifier to the token endpoint—successfully bypassing PKCE's interception protection—and obtains a valid OAuth access token. With this token, the attacker authenticates as the victim, invokes agent tools, accesses conversation history, and potentially pivots to any service the agent is authorized to reach.

Weaknesses (CWE)

CWE-345 Insufficient Verification of Data Authenticity Primary

References

Timeline

Published
April 4, 2026
Last Modified
April 7, 2026
First Seen
April 7, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-cwj3-vqpp-pmxr 8.8

openclaw: Model bypasses authz to persist unsafe config

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
Back to Threat Feed