OpenClaw, PKCE Verifier Exposure, CVE-2026-34511 (high)

Listen to this Post

The vulnerability arises from a parameter reuse flaw in OpenClaw’s Gemini OAuth flow. Prior to version 2026.4.2, the application incorrectly used the PKCE `code_verifier` as the value for the OAuth `state` parameter[reference:0]. During a standard PKCE OAuth flow, the `code_verifier` is a high-entropy secret that should never leave the client. However, because OpenClaw assigned this secret to the `state` parameter, it was included in the initial authorization request. The Gemini OAuth provider reflects the `state` parameter back unchanged in the redirect URL after user authorization. As a result, the final redirect URI contains both the `authorization_code` and the PKCE `code_verifier` in plaintext[reference:1]. An attacker who can intercept or observe this redirect URL (e.g., through network sniffing, web server logs, or Referer headers) gains access to both pieces of information[reference:2]. With the `authorization_code` and its corresponding code_verifier, the attacker can exchange them for a valid access token, completely bypassing the protection PKCE is designed to provide[reference:3]. This defeats PKCE’s primary purpose, which is to ensure that the `authorization_code` was legitimately issued by the same client that started the flow. The issue is classified as a parameter isolation violation and is tracked as CWE-1259[reference:4].

dailycve form:

Platform: OpenClaw
Version: 2026.4.1
Vulnerability : PKCE verifier leak
Severity: High
date: 2026-04-02

Prediction: Patch 2026-04-04

Analytics under What Undercode Say:

Check OpenClaw version
openclaw --version
Identify vulnerable PKCE state usage
grep -r "code_verifier.state" /path/to/openclaw
Monitor redirect URLs for exposed state
sudo tcpdump -A -l 'tcp port 443' | grep -E "state=|code="
Verify fix in commit a26f4d0
git show a26f4d0f3ef0757db6c6c40277cc06a5de76c52f

Exploit:

An attacker captures the OAuth redirect URL (e.g., via network logs). The URL contains both `code=…` and `state=…` where `state` is the PKCE verifier. The attacker then POSTs to the token endpoint with the captured `code` and `verifier` to obtain a valid access token.

Protection from this CVE

Upgrade to OpenClaw 2026.4.2 or higher[reference:5]. Revoke existing Google OAuth grants for the OpenClaw application[reference:6]. Use a cryptographically secure random generator for the `state` parameter, separate from the PKCE code_verifier.

Impact

An attacker who captures the redirect URL can learn both the authorization code and the PKCE verifier. This enables them to redeem the token, gaining unauthorized access to the user’s Gemini data and associated Google services[reference:7].

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top