{"data":{"id":"b371599e-ab2c-471b-88f3-95092284925e","title":"GHSA-6g25-pc82-vfwp: OpenClaw: macOS beta onboarding exposed PKCE verifier via OAuth state","summary":"The OpenClaw macOS beta onboarding flow had a security flaw where it exposed a PKCE code_verifier (a secret token used in OAuth, a system for secure login) by putting it in the OAuth state parameter, which could be seen in URLs. This vulnerability only affected the macOS beta app's login process, not other parts of the software.","solution":"OpenClaw removed Anthropic OAuth sign-in from macOS onboarding and replaced it with setup-token-only authentication. The fix is available in patched version 2026.2.25.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-6g25-pc82-vfwp","publishedAt":"2026-03-03T00:39:40.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["pii_leakage"],"issueType":"vulnerability","affectedPackages":["openclaw@<= 2026.2.24 (fixed: 2026.2.25)"],"affectedVendors":["Anthropic"],"affectedVendorsRaw":["Anthropic","OpenClaw"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}