5.3

CVE-2026-3691

EPSS 0.06%
Veröffentlicht 11.04.2026 00:17:40
Zuletzt bearbeitet 13.04.2026 15:01:43
Quelle zdi-disclosures@trendmicro.com
CVE-Watchlists
Login
Unerledigt
Login

OpenClaw Client PKCE Verifier Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose stored credentials on affected installations of OpenClaw. User interaction is required to exploit this vulnerability in that the target must initiate an OAuth authorization flow.

The specific flaw exists within the implementation of OAuth authorization. The issue results from the exposure of sensitive data in the authorization URL query string. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-29381.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerOpenClaw

≫

Produkt OpenClaw

Default Statusunknown

Version 2026.2.21

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.193

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
zdi-disclosures@trendmicro.com	5.3	1.6	3.6	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://www.zerodayinitiative.com/advisories/ZDI-26-229/

https://github.com/openclaw/openclaw/security/advisories/GHSA-6g25-pc82-vfwp

https://nvd.nist.gov/vuln/detail/CVE-2026-3691

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-3691

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-3691

EUVD