CVE-2026-34511 in OpenClawinfo

Summary

OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Responsible

VulnCheck

Reservation

03/30/2026

Disclosure

04/04/2026

Status

Confirmed

Entries

VulDB provides additional information and datapoints for this CVE:

IDVulnerabilityCWEExpCouCVE
355200OpenClaw Parameter random values330Not definedOfficial fixCVE-2026-34511

Description

CPE

CWE

CVSS

Exploits

History

Diff

Relate

Threat Intelligence

API JSON

API XML

API CSV

Sources

PreviousOverviewNext