Oauth

A critical vulnerability in OpenAI Codex — silently patched in February 2026 — allowed attackers to steal GitHub OAuth tokens through command injection, potentially compromising entire enterprise organizations sharing code repositories. Full public disclosure arrived March 31, 2026, thanks to research from Phantom Labs. The Vulnerability Phantom Labs, an identity security firm, discovered that OpenAI Codex was vulnerable to command injection in its shell execution environment. An attacker who could influence the commands sent to Codex — through crafted prompts, malicious repository content, or injected tool responses — could exfiltrate the GitHub OAuth token that Codex uses to authenticate with repositories. ...

At 2:44 p.m. UTC on March 11, 2026, thousands of developers found themselves locked out of Claude Code mid-session. No warning. No graceful degradation. Just a dead CLI and a 15-second timeout loop. The good news: if you were connecting via API key, you noticed nothing. The Claude API stayed fully operational throughout the two-hour incident — a detail that matters enormously for anyone designing resilient agentic workflows. What Actually Broke The failure was isolated to OAuth authentication — the browser-based login flow that Claude Code uses to connect to Anthropic’s servers. When developers ran /login, their browser would open, they’d click “Authorize,” see a confirmation… and then the CLI would hang until hitting its hardcoded 15-second timeout. ...

If OpenClaw is throwing 403 permission_error when it tries to call Claude, your OAuth session has been revoked by Anthropic. This is not a bug you can wait out — it’s a deliberate policy change. Here’s exactly what to do. Time estimate: 10–20 minutes Difficulty: Easy Who this affects: OpenClaw users who signed in with Claude Pro or Max subscription credentials (OAuth flow) rather than a direct API key First: Confirm You’re Affected Check your OpenClaw logs. If you see something like: ...

If you’ve been using OpenClaw with a Claude Pro or Max subscription via OAuth and suddenly started seeing 403 permission_error responses, you’re not alone — and the cause is not a bug you can wait out. Anthropic is actively and deliberately revoking OAuth token access for Claude Pro and Max subscriptions in third-party applications. OpenClaw is among the affected platforms. This isn’t just a version regression or a temporary outage. Multiple independent sources — a Medium post documenting a full migration away from Claude, an analysis on daveswift.com, and a GitHub commit trail — all confirm this is a deliberate policy shift. ...

Google’s Gemini Ban Wave: What Happened to Antigravity + OpenClaw Users Starting around February 12–14, 2026, something went wrong for a significant number of OpenClaw users who had connected Google’s Gemini through the Antigravity integration: their accounts got banned. Not rate-limited. Not warned. Banned — with a 403 error citing ToS violation, no grace period, and no refunds. For users paying $250/month for Google AI Ultra subscriptions, this was more than an inconvenience. ...