OpenClaw, an npm package for handling Gemini OAuth flows, shipped with a critical flaw in versions up to 2026.4.1. Developers reused the PKCE verifier as the OAuth state parameter. Gemini’s OAuth provider echoes this state back in the redirect URL alongside the authorization code. Result: anyone snagging that redirect gets both the code and verifier, nullifying PKCE’s core protection against interception attacks.
This isn’t theoretical. PKCE—Proof Key for Code Exchange—exists to secure public clients like browser apps or mobile SDKs that can’t safely store client secrets. In a standard flow, the client generates a high-entropy verifier, computes a SHA-256 hashed code_challenge, and sends the challenge (not the verifier) to the auth server. The server later demands the verifier to swap the auth code for an access token. Attackers intercepting the code alone can’t proceed without it. OpenClaw’s mistake hands them the full kit.
How the Bug Works
Trace the flow. Client initiates OAuth: crafts verifier, sets state = verifier, computes challenge, redirects user to Gemini’s endpoint with challenge and state. User authenticates; Gemini redirects back to app’s callback URL with ?code=AUTH_CODE&state=VERIFIER. Boom—verifier exposed in plain sight.
An attacker needs only to capture this redirect. Vectors include network MITM (unencrypted HTTP, though rare now), browser extensions, shared logs, or even shoulder-surfing on mobile. With code and verifier, they POST directly to Gemini’s token endpoint, bypassing the client entirely. No rate limits or additional checks mentioned in the advisory block this.
OpenClaw affects npm package openclaw versions <= 2026.4.1. The latest pre-patch release was 2026.4.1; fixed in 2026.4.2 via commit a26f4d0f3ef0757db6c6c40277cc06a5de76c52f, which separates state (now random) from the verifier. Credit to @BG0ECV for the report—quick fix shows a responsive team.
Real-World Implications
Why care? Gemini OAuth powers access to Google’s AI models (ex-Bard), increasingly integrated into apps for chat, analysis, even finance tools parsing market data. OpenClaw likely simplifies this for Node.js devs. Compromised flows mean attackers steal API quotas, user data, or session tokens. In finance/crypto apps, this escalates: imagine an automated trading bot’s Gemini integration hijacked for malicious queries or data exfil.
Scan your deps. Run
npm ls openclaw or use tools like npm audit. Snyk or GitHub Dependabot might flag it post-patch. Update to >= 2026.4.2 immediately. The versioning—YYYY.M.D-style—is unusual for npm but ties releases to dates, easing tracking.
Broader lesson: PKCE mishaps persist despite RFC 7636 (2015). State should always be a separate, unpredictable nonce for CSRF protection, not piggyback security primitives. Skeptical take—OpenClaw’s small footprint (check npm: low downloads?) limits blast radius, but transitive deps amplify risk. Devs: generate state via crypto.randomBytes(32).toString('hex'), store in session, validate on callback. Never expose verifiers.
Test your flows. Use OAuth debugging tools like OAuth Playground or mitmproxy to simulate. In production, enforce HTTPS, short code lifetimes (Gemini defaults ~10min), and monitor token issuances. This vuln underscores PKCE’s fragility when devs cut corners—security theater without discipline.
Bottom line: patch now. If you’re building with Gemini, audit all OAuth libs. Interception defeats like this erode trust in third-party auth, pushing costs onto token hygiene and anomaly detection. Stay sharp.
