GHSA-ch86-pxr9-j9h9: Duplicate Advisory: OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter
(updated )
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-9jpj-g8vv-j5mf. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption.
References
- github.com/advisories/GHSA-ch86-pxr9-j9h9
- github.com/openclaw/openclaw/commit/a26f4d0f3ef0757db6c6c40277cc06a5de76c52f
- github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf
- nvd.nist.gov/vuln/detail/CVE-2026-34511
- www.vulncheck.com/advisories/openclaw-pkce-verifier-exposure-via-oauth-state-parameter
Code Behaviors & Features
Detect and mitigate GHSA-ch86-pxr9-j9h9 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →