Esta página aún no ha sido traducida a tu idioma. Mostrando contenido en inglés mientras trabajamos en ello.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-4424: OAuth Verifier Leak in OpenClaw
Plataforma
linux
Componente
libarchive
Corregido en
*
CVE-2026-4424 is a high-severity vulnerability affecting OpenClaw versions up to 2026.4.1. This flaw involves the improper handling of the PKCE verifier within the Gemini OAuth flow, leading to its potential exposure in redirect URLs. Successful exploitation allows an attacker to compromise the authorization code and ultimately redeem tokens, granting unauthorized access. The vulnerability is resolved in OpenClaw version 2026.4.2.
Impacto y Escenarios de Ataquetraduciendo…
The core impact of CVE-2026-4424 lies in the exposure of the PKCE verifier. PKCE (Proof Key for Code Exchange) is a crucial security mechanism designed to prevent authorization code interception attacks. By reusing the verifier as the OAuth state value, OpenClaw inadvertently allows an attacker who can intercept the redirect URL to obtain both the authorization code and the verifier. With both in hand, the attacker can bypass PKCE's protection and redeem the authorization code for an access token, effectively gaining unauthorized access to the protected resource. This could lead to data breaches, account takeover, and other malicious activities. The blast radius extends to any application relying on OpenClaw for OAuth authentication and authorization.
Contexto de Explotacióntraduciendo…
As of the publication date, there's no indication that CVE-2026-4424 is actively exploited in the wild. The vulnerability is not listed on KEV (Known Exploited Vulnerabilities) as of this writing. The EPSS (Exploit Prediction Scoring System) score is likely to be low to medium, reflecting the need for attacker interaction and the relative complexity of exploiting the vulnerability. Public proof-of-concept (POC) code is not widely available, but the vulnerability's nature makes it relatively straightforward to demonstrate. The vulnerability was published on 2026-04-04.
Inteligencia de Amenazas
Estado del Exploit
EPSS
0.17% (39% percentil)
Vector CVSS
¿Qué significan estas métricas?
- Attack Vector
- Red — explotable remotamente por internet. Sin acceso físico ni local. Mayor superficie de ataque.
- Attack Complexity
- Baja — sin condiciones especiales. El atacante puede explotar de forma confiable sin configuraciones raras.
- Privileges Required
- Ninguno — sin autenticación. No se necesitan credenciales para explotar.
- User Interaction
- Ninguna — el ataque es automático y silencioso. La víctima no hace nada.
- Scope
- Sin cambio — el impacto se limita al componente vulnerable.
- Confidentiality
- Alto — pérdida total de confidencialidad. El atacante puede leer todos los datos.
- Integrity
- Ninguno — sin impacto en integridad.
- Availability
- Ninguno — sin impacto en disponibilidad.
Software Afectado
Clasificación de Debilidad (CWE)
Cronología
- Publicada
- Modificada
- EPSS actualizado
Mitigación y Workaroundstraduciendo…
The primary mitigation for CVE-2026-4424 is to upgrade to OpenClaw version 2026.4.2 or later. This version corrects the flawed handling of the PKCE verifier. If upgrading immediately is not feasible, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement without application-level inspection, you can monitor redirect URLs for unusual patterns or unexpected verifier values. Review your OAuth flow implementation to ensure proper PKCE usage and consider stricter redirect URL validation. After upgrading, confirm the fix by initiating an OAuth flow and verifying that the PKCE verifier is not exposed in the redirect URL.
Cómo corregirlotraduciendo…
Actualice la biblioteca libarchive a la versión 3.7.8 o superior para mitigar la vulnerabilidad de divulgación de información. Consulte las erratas de Red Hat (RHSA-2026:10065, RHSA-2026:10097, RHSA-2026:11768) para obtener instrucciones específicas de actualización para Red Hat Enterprise Linux.
Preguntas frecuentestraduciendo…
What is CVE-2026-4424 — OAuth Verifier Leak in OpenClaw?
CVE-2026-4424 is a high-severity vulnerability in OpenClaw versions up to 2026.4.1 where the PKCE verifier is exposed in redirect URLs, allowing attackers to redeem authorization codes and gain unauthorized access.
Am I affected by CVE-2026-4424 in OpenClaw?
You are affected if you are using OpenClaw version 2026.4.1 or earlier and utilize the Gemini OAuth flow. Check your project's dependencies to confirm.
How do I fix CVE-2026-4424 in OpenClaw?
Upgrade to OpenClaw version 2026.4.2 or later to resolve the vulnerability. If immediate upgrade is not possible, consider temporary workarounds like monitoring redirect URLs.
Is CVE-2026-4424 being actively exploited?
As of now, there's no public evidence of active exploitation, but the vulnerability's nature makes it potentially exploitable.
Where can I find the official OpenClaw advisory for CVE-2026-4424?
Refer to the OpenClaw project's official advisory and release notes for detailed information and updates: [https://github.com/openclaw/openclaw/releases/tag/2026.4.2](https://github.com/openclaw/openclaw/releases/tag/2026.4.2)
¿Tu proyecto está afectado?
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Pruébalo ahora — sin cuenta
Sube cualquier manifiesto (composer.lock, package-lock.json, lista de plugins WordPress…) o pega tu lista de componentes. Recibís un reporte de vulnerabilidades al instante. Subir un archivo es solo el primer paso: con una cuenta tenés monitoreo continuo, alertas en tu canal, multi-proyecto y reportes white-label.
Arrastra y suelta tu archivo de dependencias
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...