CVE-2026-4424: OAuth Verifier Leak in OpenClaw
Plataforma
linux
Componente
libarchive
Corrigido em
*
CVE-2026-4424 is a high-severity vulnerability affecting OpenClaw versions up to 2026.4.1. This flaw involves the improper handling of the PKCE verifier within the Gemini OAuth flow, leading to its potential exposure in redirect URLs. Successful exploitation allows an attacker to compromise the authorization code and ultimately redeem tokens, granting unauthorized access. The vulnerability is resolved in OpenClaw version 2026.4.2.
Impacto e Cenários de Ataquetraduzindo…
The core impact of CVE-2026-4424 lies in the exposure of the PKCE verifier. PKCE (Proof Key for Code Exchange) is a crucial security mechanism designed to prevent authorization code interception attacks. By reusing the verifier as the OAuth state value, OpenClaw inadvertently allows an attacker who can intercept the redirect URL to obtain both the authorization code and the verifier. With both in hand, the attacker can bypass PKCE's protection and redeem the authorization code for an access token, effectively gaining unauthorized access to the protected resource. This could lead to data breaches, account takeover, and other malicious activities. The blast radius extends to any application relying on OpenClaw for OAuth authentication and authorization.
Contexto de Exploraçãotraduzindo…
As of the publication date, there's no indication that CVE-2026-4424 is actively exploited in the wild. The vulnerability is not listed on KEV (Known Exploited Vulnerabilities) as of this writing. The EPSS (Exploit Prediction Scoring System) score is likely to be low to medium, reflecting the need for attacker interaction and the relative complexity of exploiting the vulnerability. Public proof-of-concept (POC) code is not widely available, but the vulnerability's nature makes it relatively straightforward to demonstrate. The vulnerability was published on 2026-04-04.
Inteligência de Ameaças
Status do Exploit
EPSS
0.17% (percentil 39%)
CISA SSVC
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Nenhum — sem autenticação necessária para explorar.
- User Interaction
- Nenhuma — ataque automático e silencioso. A vítima não faz nada.
- Scope
- Inalterado — impacto limitado ao componente vulnerável.
- Confidentiality
- Alto — perda total de confidencialidade. O atacante pode ler todos os dados.
- Integrity
- Nenhum — sem impacto na integridade.
- Availability
- Nenhum — sem impacto na disponibilidade.
Software Afetado
Classificação de Fraqueza (CWE)
Linha do tempo
- Reserved
- Publicada
- Modificada
- EPSS atualizado
Mitigação e Soluções Alternativastraduzindo…
The primary mitigation for CVE-2026-4424 is to upgrade to OpenClaw version 2026.4.2 or later. This version corrects the flawed handling of the PKCE verifier. If upgrading immediately is not feasible, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement without application-level inspection, you can monitor redirect URLs for unusual patterns or unexpected verifier values. Review your OAuth flow implementation to ensure proper PKCE usage and consider stricter redirect URL validation. After upgrading, confirm the fix by initiating an OAuth flow and verifying that the PKCE verifier is not exposed in the redirect URL.
Como corrigirtraduzindo…
Actualizar la biblioteca libarchive a la versión 3.7.8 o superior para mitigar la vulnerabilidad de divulgación de información. Se recomienda aplicar las actualizaciones proporcionadas por Red Hat Enterprise Linux a través de los canales de actualización oficiales. Verificar las erratas de seguridad de Red Hat para obtener instrucciones detalladas.
Perguntas frequentestraduzindo…
What is CVE-2026-4424 — OAuth Verifier Leak in OpenClaw?
CVE-2026-4424 is a high-severity vulnerability in OpenClaw versions up to 2026.4.1 where the PKCE verifier is exposed in redirect URLs, allowing attackers to redeem authorization codes and gain unauthorized access.
Am I affected by CVE-2026-4424 in OpenClaw?
You are affected if you are using OpenClaw version 2026.4.1 or earlier and utilize the Gemini OAuth flow. Check your project's dependencies to confirm.
How do I fix CVE-2026-4424 in OpenClaw?
Upgrade to OpenClaw version 2026.4.2 or later to resolve the vulnerability. If immediate upgrade is not possible, consider temporary workarounds like monitoring redirect URLs.
Is CVE-2026-4424 being actively exploited?
As of now, there's no public evidence of active exploitation, but the vulnerability's nature makes it potentially exploitable.
Where can I find the official OpenClaw advisory for CVE-2026-4424?
Refer to the OpenClaw project's official advisory and release notes for detailed information and updates: [https://github.com/openclaw/openclaw/releases/tag/2026.4.2](https://github.com/openclaw/openclaw/releases/tag/2026.4.2)
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Experimente agora — sem conta
Faça upload de qualquer manifesto (composer.lock, package-lock.json, lista de plugins WordPress…) ou cole sua lista de componentes. Receba um relatório de vulnerabilidades instantaneamente. Fazer upload de um arquivo é só o começo: com uma conta, você obtém monitoramento contínuo, alertas por Slack/email, relatórios multiprojeto e white-label.
Arraste e solte seu arquivo de dependências
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...