GHSA-9jpj-g8vv-j5mf: OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter

April 4, 2026

Before OpenClaw 2026.4.2, the Gemini OAuth flow reused the PKCE verifier as the OAuth state value. Because the provider reflected state back in the redirect URL, the verifier could be exposed alongside the authorization code.

References

github.com/advisories/GHSA-9jpj-g8vv-j5mf
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/a26f4d0f3ef0757db6c6c40277cc06a5de76c52f
github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf

Code Behaviors & Features

Detect and mitigate GHSA-9jpj-g8vv-j5mf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →