CVE-2026-3691

MEDIUM 5.3

OpenClaw Client PKCE Verifier Information Disclosure Vulnerability

CVSS Score

5.3

EPSS Score

0.1%

EPSS Percentile

19th

OpenClaw Client PKCE Verifier Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose stored credentials on affected installations of OpenClaw. User interaction is required to exploit this vulnerability in that the target must initiate an OAuth authorization flow. The specific flaw exists within the implementation of OAuth authorization. The issue results from the exposure of sensitive data in the authorization URL query string. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-29381.

CWE	CWE-200
Vendor	openclaw
Product	openclaw
Published	Apr 11, 2026
Last Updated	Apr 13, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new medium vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Affected Versions

OpenClaw / OpenClaw

2026.2.21

References

NVD ↗ CVE.org ↗ EPSS Data ↗

zerodayinitiative.com: https://www.zerodayinitiative.com/advisories/ZDI-26-229/ github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-6g25-pc82-vfwp