5.3

CVE-2026-3691

EPSS 0.46%
Veröffentlicht 11.04.2026 00:17:40
Zuletzt bearbeitet 27.04.2026 17:10:36
Quelle zdi-disclosures@trendmicro.com
CVE-Watchlists
Login
Unerledigt
Login

OpenClaw Client PKCE Verifier Information Disclosure Vulnerability

OpenClaw Client PKCE Verifier Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose stored credentials on affected installations of OpenClaw. User interaction is required to exploit this vulnerability in that the target must initiate an OAuth authorization flow.

The specific flaw exists within the implementation of OAuth authorization. The issue results from the exposure of sensitive data in the authorization URL query string. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-29381.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

OpenClaw ≫ OpenClaw SwPlatformnode.js Version < 2026.2.25

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.46%	0.363

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
zdi-disclosures@trendmicro.com	5.3	1.6	3.6	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://www.zerodayinitiative.com/advisories/ZDI-26-229/

Third Party Advisory

https://github.com/openclaw/openclaw/security/advisories/GHSA-6g25-pc82-vfwp

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-3691

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-3691

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-3691

EUVD