AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-34511: OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it thr

mediumvulnerability

security

Source: NVD/CVE DatabaseApril 3, 2026CVE-2026-34511

Summary

OpenClaw versions before 2026.4.2 have a security flaw in their Google Gemini login process where a secret value (PKCE verifier, a random code used to protect OAuth authorization) is reused as the state parameter (a value meant to prevent certain attacks) and exposed in the redirect URL (the page the user is sent to after login). Attackers who intercept this URL can steal both the authorization code and the PKCE verifier, bypassing the protection it was supposed to provide and allowing them to steal login tokens.

Solution / Mitigation

Update OpenClaw to version 2026.4.2 or later.

Vulnerability Details

CVSS Score

5.3(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

network

Attack Complexity

high

Privileges Required

none

User Interaction

required

Disclosure Date

April 3, 2026

Classification

Attack SophisticationModerate

Taxonomy References

CWE (Weakness Type)

CWE-330

CAPEC (Attack Pattern)

CAPEC-20

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-34511

First tracked: April 3, 2026 at 08:07 PM

Classified by LLM (prompt v3) · confidence: 75%