GHSA-6g25-pc82-vfwp: OpenClaw: macOS beta onboarding exposed PKCE verifier via OAuth state

March 3, 2026

The affected surface is the OpenClaw macOS app onboarding flow, and the macOS app is currently in beta. In that beta onboarding flow, Anthropic OAuth used the PKCE code_verifier value as OAuth state, exposing that secret in front-channel URL state.

References

github.com/advisories/GHSA-6g25-pc82-vfwp
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/8f3310000a8b0c11eced054c2cdb6fb27803511a
github.com/openclaw/openclaw/security/advisories/GHSA-6g25-pc82-vfwp

Code Behaviors & Features

Detect and mitigate GHSA-6g25-pc82-vfwp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →