OpenClaw, an npm package for integrating with Google’s Gemini API, shipped with a critical OAuth flaw until version 2026.4.2. Developers using versions up to 2026.4.1 exposed their PKCE verifier in the OAuth state parameter. Gemini’s OAuth provider echoed this state back in the redirect URL, right next to the authorization code. Attackers who snag that URL gain everything needed to exchange the code for access tokens.
PKCE, defined in RFC 7636, secures the OAuth 2.0 authorization code flow against interception. Clients generate a high-entropy code verifier, hash it into a code challenge, and send the challenge to the provider. After user approval, the provider redirects with an auth code. The client then redeems it using the original verifier. Only the legitimate client should know the verifier, blocking code theft.
OpenClaw broke this by stuffing the raw PKCE verifier into the OAuth state parameter. OAuth state prevents CSRF attacks—it’s a random value the client verifies on callback. Providers like Google reflect it unchanged. In OpenClaw’s Gemini flow, the redirect looked like: https://client.com/callback?code=AUTH_CODE&state=PKCE_VERIFIER_HERE. A single packet capture reveals both pieces.
Real-World Attack Scenarios
Capture the redirect on shared Wi-Fi, via MITM proxies, or from server logs if misconfigured. No need for session hijacking or phishing—just eavesdrop. With code and verifier in hand, attackers POST to Gemini’s token endpoint:
curl -X POST \
https://oauth2.googleapis.com/token \
-d 'client_id=your_client_id' \
-d 'code=AUTH_CODE' \
-d 'code_verifier=PKCE_VERIFIER_HERE' \
-d 'grant_type=authorization_code' \
-d 'redirect_uri=your_redirect'
This yields an access token for Gemini API calls. Implications hit hard: unauthorized queries rack up Google’s billing (Gemini 1.5 Pro costs $3.50 per million input tokens, $10.50 output as of 2024). Attackers could exfiltrate user data if the app processes sensitive inputs, or train rival models on your dime.
Over 1,000 weekly downloads on npm pre-patch (per Snyk data) means thousands of exposed apps. No evidence of active exploits yet, but OAuth bugs like this fuel credential stuffing campaigns. Similar flaws hit libraries before—recall Auth0’s 2021 state reuse incident affecting millions.
Fix and Prevention
Upgrade to OpenClaw >= 2026.4.2. The patch, commit a26f4d0f3ef0757db6c6c40277cc06a5de76c52f, generates a separate random state. Credit @BG0ECV for disclosure.
Roll your own OAuth? Rules to live by:
- Generate state separately: 128+ bits entropy, base64url encoded.
- Never reuse verifier as state—treat state as public.
- Store verifier server-side or in secure memory; validate on callback.
- Use HTTPS everywhere; log redirects minimally.
- Audit with tools like oauth2-proxy or OWASP ZAP.
This isn’t rocket science, but devs cut corners on crypto primitives. PKCE adoption surged post-Log4Shell era for public clients, yet misimplementations persist. OpenClaw fixed it fast—good on them—but scan your deps with npm audit or Snyk. In AI tooling, where API keys cost real money, one leak equals downtime or drained budgets.
Why this matters: As Gemini powers apps from chatbots to analytics, compromised auth opens floodgates. Check your stack; patch now. No excuses in 2026.
