OpenClaw, an npm package for handling Gemini OAuth flows, shipped with a critical flaw before version 2026.4.2. Developers reused the PKCE verifier as the OAuth state parameter. Gemini’s OAuth provider echoes the state back in the redirect URI alongside the authorization code. Result: anyone sniffing that redirect gets both the code and verifier, nullifying PKCE’s core protection against interception attacks.
This defeats PKCE entirely for affected flows. PKCE—Proof Key for Code Exchange—secures OAuth 2.0 for public clients like browser apps. It works like this: client generates a random code_verifier (43-128 chars), derives a code_challenge via SHA-256, sends challenge to auth server. On callback, server demands verifier to swap code for tokens. Attackers intercepting the code can’t redeem without verifier. But here, OpenClaw leaked the verifier in plain sight via state.
Technical Breakdown
The flow breaks at step one. Standard OAuth state prevents CSRF by being a random secret echoed back. OpenClaw versions up to 2026.4.1 set state = code_verifier. Gemini reflects it unchanged. Captured redirect URI: https://yourapp.com/callback?code=AUTH_CODE_HERE&state=LEAKED_VERIFIER_HERE. Done. Attacker redeems for access token, refresh token, whatever scopes granted.
Affected package: openclaw on npm. Vulnerable: <= 2026.4.1. Fixed: >= 2026.4.2. Latest pre-patch: 2026.4.1. Fix commit a26f4d0f3ef0757db6c6c40277cc06a5de76c52f separates state from verifier—uses distinct random values. Props to @BG0ECV for spotting and reporting responsibly.
Context matters. PKCE became RFC 7636 in 2015, mandatory for OAuth 2.0 public clients per OAuth 2.1 draft. Misimplementations like this pop up because devs cut corners or misunderstand state vs. verifier roles. OpenClaw targets Gemini integration—likely Google’s Gemini API or crypto exchange auth. npm stats: as of now, low downloads (under 100 weekly pre-patch), so blast radius limited. But if your app uses it for user logins, assume compromise possible.
Why This Matters and What to Do
Implications hit hard in real attacks. Redirect URIs leak via shared logs, browser history, MITM on insecure networks, or malicious browser extensions. Server-side apps might log full URIs—boom, verifier exposed. Client-side SPAs? Even worse; console or network tab reveals all. One captured flow grants attacker full token access, potentially account takeover, data exfil, or lateral movement.
Why care? OAuth/PKCE underpins modern auth: GitHub, Google, most SaaS. Flubs like this erode trust. Skeptical take: OpenClaw’s version scheme (2026.x?) smells like a prototype or internal tool, not battle-tested. npm’s wild west—anyone publishes. Fair point: quick fix shows maintainers listen. No zero-days exploited yet, per advisory.
Fix now:
npm update openclaw or pin to 2026.4.2+. Audit code: grep for state: codeVerifier. Rotate tokens from affected flows. Test your impl—tools like oauth.com tester or OWASP ZAP. Broader: always generate separate cryptographically secure state (at least 128 bits entropy). Use libraries like oidc-client-js or AppAuth that handle PKCE right.
Bottom line: sloppy PKCE kills security. Update OpenClaw, verify your flows, stay vigilant. This advisory underscores—don’t DIY OAuth. One leak, and your Gemini access is toast.
