Raax

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.8 Description OpenClaw contains a request body replay vulnerability in the `fetchWithSsrFGuard` function that allows unsafe request bodies to be resent across cross-origin redirects. This could allow attackers to exfiltrate sensitive request data or headers to unintended origins. Recommendations Update OpenClaw to version 2026.4.8 or later.

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.2 Description The application reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. An attacker capturing the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption. Recommendations Update to version 2026.4.2 or later.