GHSA-6g25-pc82-vfwp: OpenClaw: macOS beta onboarding exposed PKCE verifier via OAuth state
mediumvulnerability
security
Source: GitHub Advisory DatabaseMarch 2, 2026
Summary
The OpenClaw macOS beta onboarding flow had a security flaw where it exposed a PKCE code_verifier (a secret token used in OAuth, a system for secure login) by putting it in the OAuth state parameter, which could be seen in URLs. This vulnerability only affected the macOS beta app's login process, not other parts of the software.
Solution / Mitigation
OpenClaw removed Anthropic OAuth sign-in from macOS onboarding and replaced it with setup-token-only authentication. The fix is available in patched version 2026.2.25.
Classification
Attack Type
PII Leakage
Attack SophisticationModerate
Impact (CIA+S)
confidentiality
AI Component TargetedAPI
Affected Vendors
Anthropic
Affected Packages
openclaw@<= 2026.2.24 (fixed: 2026.2.25)
Related Issues
Original source: https://github.com/advisories/GHSA-6g25-pc82-vfwp
First tracked: March 2, 2026 at 11:00 PM
Classified by LLM (prompt v3) · confidence: 92%