GHSA-6G25-PC82-VFWP

Vulnerability from github – Published: 2026-03-03 00:39 – Updated: 2026-03-03 00:39
VLAI
Summary
OpenClaw: macOS beta onboarding exposed PKCE verifier via OAuth state
Details

Summary

The affected surface is the OpenClaw macOS app onboarding flow, and the macOS app is currently in beta. In that beta onboarding flow, Anthropic OAuth used the PKCE code_verifier value as OAuth state, exposing that secret in front-channel URL state.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.2.24 (latest published npm at triage time)
  • Affected surface: macOS app beta onboarding path (apps/macos)
  • Not affected: core CLI/gateway onboarding paths
  • Patched version : 2026.2.25

Impact

Scope is limited to the macOS beta onboarding OAuth path. Exploitation required obtaining both OAuth authorization artifacts and exposed state values during that flow.

Remediation

OpenClaw removed Anthropic OAuth sign-in from macOS onboarding and now supports setup-token-only Anthropic subscription auth in this path.

Fix Commit(s)

  • 8f3310000a8b0c11eced054c2cdb6fb27803511a

Release Process Note

patched_versions is pre-set to the release (2026.2.25). Advisory published with npm release 2026.2.25.2.25` is published, this advisory is published.

OpenClaw thanks @zdi-disclosures for reporting.

Severity
5.1 (Medium)
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.2.24"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T00:39:40Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe affected surface is the OpenClaw macOS app onboarding flow, and the macOS app is currently in **beta**.\nIn that beta onboarding flow, Anthropic OAuth used the PKCE `code_verifier` value as OAuth `state`, exposing that secret in front-channel URL state.\n\n### Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.2.24` (latest published npm at triage time)\n- Affected surface: macOS app beta onboarding path (`apps/macos`)\n- Not affected: core CLI/gateway onboarding paths\n- Patched version : `2026.2.25`\n\n### Impact\n\nScope is limited to the macOS beta onboarding OAuth path. Exploitation required obtaining both OAuth authorization artifacts and exposed `state` values during that flow.\n\n### Remediation\n\nOpenClaw removed Anthropic OAuth sign-in from macOS onboarding and now supports setup-token-only Anthropic subscription auth in this path.\n\n### Fix Commit(s)\n\n- `8f3310000a8b0c11eced054c2cdb6fb27803511a`\n\n### Release Process Note\n\n`patched_versions` is pre-set to the release (`2026.2.25`).\nAdvisory published with npm release `2026.2.25`.2.25` is published, this advisory is published.\n\nOpenClaw thanks @zdi-disclosures for reporting.",
  "id": "GHSA-6g25-pc82-vfwp",
  "modified": "2026-03-03T00:39:40Z",
  "published": "2026-03-03T00:39:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6g25-pc82-vfwp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/8f3310000a8b0c11eced054c2cdb6fb27803511a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: macOS beta onboarding exposed PKCE verifier via OAuth state"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.