OpenClaw OAuth PKCE Verifier Exposure Vulnerability
Plattform
nodejs
Komponente
openclaw
Behoben in
2026.4.2
GHSA-9jpj-g8vv-j5mf describes a vulnerability in OpenClaw related to the Gemini OAuth flow. Before version 2026.4.2, the PKCE verifier was reused as the OAuth `state` value. Because the provider reflected the `state` back in the redirect URL, the verifier could be exposed alongside the authorization code. This allows an attacker to capture the redirect URL and learn both the authorization code and the PKCE verifier, defeating PKCE's interception protection. The issue is fixed in version 2026.4.2.
So beheben
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Häufig gestellte Fragen
What is GHSA-9jpj-g8vv-j5mf?
GHSA-9jpj-g8vv-j5mf is a vulnerability in OpenClaw where the PKCE verifier is exposed in the redirect URL, allowing an attacker to potentially redeem the authorization token.
Am I affected by GHSA-9jpj-g8vv-j5mf?
You are affected if you are using a version of OpenClaw prior to 2026.4.2 and using the Gemini OAuth flow. An attacker who can intercept the redirect URL can compromise the OAuth flow.
How do I fix GHSA-9jpj-g8vv-j5mf?
Upgrade to OpenClaw version 2026.4.2 or later. This version includes a fix that prevents the exposure of the PKCE verifier in the redirect URL, mitigating the vulnerability.
Abhängigkeiten automatisch überwachen
Werde benachrichtigt, wenn neue Schwachstellen deine Projekte betreffen. Für immer kostenlos.
Kostenlos starten