Primary

Context

OpenClaw Client PKCE Verifier Information Disclosure Vulnerability

Vulnerability

A vulnerability allowing remote attackers to disclose stored credentials has been identified in the OpenClaw macOS application, specifically in versions through 2026.2.24. This issue arises during the OAuth authorization process, where sensitive data is inadvertently exposed in the authorization URL query string. Exploitation of this vulnerability requires user interaction to initiate the OAuth flow.

Impact

Exploitation of this vulnerability could lead to unauthorized disclosure of stored credentials, potentially allowing for further compromise.

Remediation

OpenClaw has removed the vulnerable OAuth implementation from the macOS onboarding process. Users should update to version 2026.2.25 or later.

Added: Apr 11, 2026, 1:27 AM

Updated: Apr 11, 2026, 1:27 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.8

remediation

0.0

relevance

5.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.8

remediation

0.0

relevance

5.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw Client PKCE Verifier Information Disclosure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating