Scan free
Pending AnalysisCVE-2026-4424

CVE-2026-4424: OAuth Verifier Leak in OpenClaw

Platform

linux

Component

libarchive

Fixed in

*

View on NVD
Save

CVE-2026-4424 is a high-severity vulnerability affecting OpenClaw versions up to 2026.4.1. This flaw involves the improper handling of the PKCE verifier within the Gemini OAuth flow, leading to its potential exposure in redirect URLs. Successful exploitation allows an attacker to compromise the authorization code and ultimately redeem tokens, granting unauthorized access. The vulnerability is resolved in OpenClaw version 2026.4.2.

Impact and Attack Scenarios

The core impact of CVE-2026-4424 lies in the exposure of the PKCE verifier. PKCE (Proof Key for Code Exchange) is a crucial security mechanism designed to prevent authorization code interception attacks. By reusing the verifier as the OAuth state value, OpenClaw inadvertently allows an attacker who can intercept the redirect URL to obtain both the authorization code and the verifier. With both in hand, the attacker can bypass PKCE's protection and redeem the authorization code for an access token, effectively gaining unauthorized access to the protected resource. This could lead to data breaches, account takeover, and other malicious activities. The blast radius extends to any application relying on OpenClaw for OAuth authentication and authorization.

Exploitation Context

As of the publication date, there's no indication that CVE-2026-4424 is actively exploited in the wild. The vulnerability is not listed on KEV (Known Exploited Vulnerabilities) as of this writing. The EPSS (Exploit Prediction Scoring System) score is likely to be low to medium, reflecting the need for attacker interaction and the relative complexity of exploiting the vulnerability. Public proof-of-concept (POC) code is not widely available, but the vulnerability's nature makes it relatively straightforward to demonstrate. The vulnerability was published on 2026-04-04.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.17% (39% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentlibarchive
VendorRed Hat
Minimum version3.1.2
Maximum version*
Fixed in*

Weakness Classification (CWE)

CWE-125

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-4424 is to upgrade to OpenClaw version 2026.4.2 or later. This version corrects the flawed handling of the PKCE verifier. If upgrading immediately is not feasible, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement without application-level inspection, you can monitor redirect URLs for unusual patterns or unexpected verifier values. Review your OAuth flow implementation to ensure proper PKCE usage and consider stricter redirect URL validation. After upgrading, confirm the fix by initiating an OAuth flow and verifying that the PKCE verifier is not exposed in the redirect URL.

How to fix

Actualizar la biblioteca libarchive a la versión 3.7.8 o superior para mitigar la vulnerabilidad de divulgación de información.  Se recomienda aplicar las actualizaciones proporcionadas por Red Hat Enterprise Linux a través de los canales de actualización oficiales.  Verificar las erratas de seguridad de Red Hat para obtener instrucciones detalladas.

Frequently asked questions

What is CVE-2026-4424 — OAuth Verifier Leak in OpenClaw?

CVE-2026-4424 is a high-severity vulnerability in OpenClaw versions up to 2026.4.1 where the PKCE verifier is exposed in redirect URLs, allowing attackers to redeem authorization codes and gain unauthorized access.

Am I affected by CVE-2026-4424 in OpenClaw?

You are affected if you are using OpenClaw version 2026.4.1 or earlier and utilize the Gemini OAuth flow. Check your project's dependencies to confirm.

How do I fix CVE-2026-4424 in OpenClaw?

Upgrade to OpenClaw version 2026.4.2 or later to resolve the vulnerability. If immediate upgrade is not possible, consider temporary workarounds like monitoring redirect URLs.

Is CVE-2026-4424 being actively exploited?

As of now, there's no public evidence of active exploitation, but the vulnerability's nature makes it potentially exploitable.

Where can I find the official OpenClaw advisory for CVE-2026-4424?

Refer to the OpenClaw project's official advisory and release notes for detailed information and updates: [https://github.com/openclaw/openclaw/releases/tag/2026.4.2](https://github.com/openclaw/openclaw/releases/tag/2026.4.2)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...