OpenClaw PKCE Verifier Exposure Vulnerability in OAuth State Parameter
Vulnerability
A vulnerability exists in OpenClaw versions prior to 2026.4.2, where the PKCE verifier is reused as the OAuth state parameter in the Gemini OAuth flow. This implementation flaw exposes the verifier through the redirect URL. As a result, attackers who intercept the redirect URL can access both the authorization code and the PKCE verifier, undermining the security provided by PKCE and allowing for unauthorized token redemption.
Impact
Exploitation of this vulnerability allows for the interception of the PKCE verifier and authorization code, bypassing PKCE's security measures and enabling unauthorized access tokens to be obtained.
Reproduction
To reproduce this vulnerability, initiate the Gemini OAuth flow in an OpenClaw version prior to 2026.4.2. During the process, the PKCE verifier will be sent as the state parameter. If the redirect URL is intercepted, both the authorization code and the PKCE verifier can be captured, demonstrating the vulnerability.
Remediation
Users can upgrade to OpenClaw version 2026.4.2 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.