GHSA-9jpj-g8vv-j5mf

Suggest an improvement
Source
https://github.com/advisories/GHSA-9jpj-g8vv-j5mf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-9jpj-g8vv-j5mf/GHSA-9jpj-g8vv-j5mf.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-9jpj-g8vv-j5mf
Aliases
  • CVE-2026-34511
Downstream
Published
2026-04-04T06:26:55Z
Modified
2026-04-07T14:35:15.161678Z
Severity
  • 7.0 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N CVSS Calculator
Summary
OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter
Details

Summary

Before OpenClaw 2026.4.2, the Gemini OAuth flow reused the PKCE verifier as the OAuth state value. Because the provider reflected state back in the redirect URL, the verifier could be exposed alongside the authorization code.

Impact

Anyone who could capture the redirect URL could learn both the authorization code and the PKCE verifier, defeating PKCE's interception protection for that flow and enabling token redemption.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.4.1
  • Patched versions: >= 2026.4.2
  • Latest published npm version: 2026.4.1

Fix Commit(s)

  • a26f4d0f3ef0757db6c6c40277cc06a5de76c52f — separate OAuth state from the PKCE verifier

OpenClaw thanks @BG0ECV for reporting.

Database specific 
{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-345"
    ],
    "severity": "HIGH",
    "nvd_published_at": null,
    "github_reviewed_at": "2026-04-04T06:26:55Z"
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.4.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-9jpj-g8vv-j5mf/GHSA-9jpj-g8vv-j5mf.json"
last_known_affected_version_range 
"<= 2026.4.1"