免费扫描
分析待定CVE-2026-4424

CVE-2026-4424: OAuth Verifier Leak in OpenClaw

平台

linux

组件

libarchive

修复版本

*

在NVD查看
保存

CVE-2026-4424 is a high-severity vulnerability affecting OpenClaw versions up to 2026.4.1. This flaw involves the improper handling of the PKCE verifier within the Gemini OAuth flow, leading to its potential exposure in redirect URLs. Successful exploitation allows an attacker to compromise the authorization code and ultimately redeem tokens, granting unauthorized access. The vulnerability is resolved in OpenClaw version 2026.4.2.

影响与攻击场景翻译中…

The core impact of CVE-2026-4424 lies in the exposure of the PKCE verifier. PKCE (Proof Key for Code Exchange) is a crucial security mechanism designed to prevent authorization code interception attacks. By reusing the verifier as the OAuth state value, OpenClaw inadvertently allows an attacker who can intercept the redirect URL to obtain both the authorization code and the verifier. With both in hand, the attacker can bypass PKCE's protection and redeem the authorization code for an access token, effectively gaining unauthorized access to the protected resource. This could lead to data breaches, account takeover, and other malicious activities. The blast radius extends to any application relying on OpenClaw for OAuth authentication and authorization.

利用背景翻译中…

As of the publication date, there's no indication that CVE-2026-4424 is actively exploited in the wild. The vulnerability is not listed on KEV (Known Exploited Vulnerabilities) as of this writing. The EPSS (Exploit Prediction Scoring System) score is likely to be low to medium, reflecting the need for attacker interaction and the relative complexity of exploiting the vulnerability. Public proof-of-concept (POC) code is not widely available, but the vulnerability's nature makes it relatively straightforward to demonstrate. The vulnerability was published on 2026-04-04.

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露
Reports1 threat report

EPSS

0.17% (39% 百分位)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N7.5HIGHAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredNone攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityHigh敏感数据泄露风险IntegrityNone数据未授权篡改风险AvailabilityNone服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
无 — 无需认证,无需凭证即可利用。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
高 — 完全丧失机密性,攻击者可读取所有数据。
Integrity
无 — 无完整性影响。
Availability
无 — 无可用性影响。

受影响的软件

组件libarchive
供应商Red Hat
最低版本3.1.2
最高版本*
修复版本*

弱点分类 (CWE)

CWE-125

时间线

  1. Reserved
  2. 发布日期
  3. 修改日期
  4. EPSS 更新日期

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2026-4424 is to upgrade to OpenClaw version 2026.4.2 or later. This version corrects the flawed handling of the PKCE verifier. If upgrading immediately is not feasible, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement without application-level inspection, you can monitor redirect URLs for unusual patterns or unexpected verifier values. Review your OAuth flow implementation to ensure proper PKCE usage and consider stricter redirect URL validation. After upgrading, confirm the fix by initiating an OAuth flow and verifying that the PKCE verifier is not exposed in the redirect URL.

修复方法翻译中…

Actualizar la biblioteca libarchive a la versión 3.7.8 o superior para mitigar la vulnerabilidad de divulgación de información.  Se recomienda aplicar las actualizaciones proporcionadas por Red Hat Enterprise Linux a través de los canales de actualización oficiales.  Verificar las erratas de seguridad de Red Hat para obtener instrucciones detalladas.

常见问题翻译中…

What is CVE-2026-4424 — OAuth Verifier Leak in OpenClaw?

CVE-2026-4424 is a high-severity vulnerability in OpenClaw versions up to 2026.4.1 where the PKCE verifier is exposed in redirect URLs, allowing attackers to redeem authorization codes and gain unauthorized access.

Am I affected by CVE-2026-4424 in OpenClaw?

You are affected if you are using OpenClaw version 2026.4.1 or earlier and utilize the Gemini OAuth flow. Check your project's dependencies to confirm.

How do I fix CVE-2026-4424 in OpenClaw?

Upgrade to OpenClaw version 2026.4.2 or later to resolve the vulnerability. If immediate upgrade is not possible, consider temporary workarounds like monitoring redirect URLs.

Is CVE-2026-4424 being actively exploited?

As of now, there's no public evidence of active exploitation, but the vulnerability's nature makes it potentially exploitable.

Where can I find the official OpenClaw advisory for CVE-2026-4424?

Refer to the OpenClaw project's official advisory and release notes for detailed information and updates: [https://github.com/openclaw/openclaw/releases/tag/2026.4.2](https://github.com/openclaw/openclaw/releases/tag/2026.4.2)

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE
live免费扫描

立即试用 — 无需账户

上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始:拥有账户后,您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。

手动扫描Slack/邮件提醒持续监控白标报告

拖放您的依赖文件

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...