OpenClaw, Authorization Bypass, Fixed in 2026324 (Medium)

Listen to this Post

How the CVE Works

This vulnerability exploits an authorization inconsistency between two API surfaces in OpenClaw. The WebSocket RPC control plane enforces strict scope-based access control, requiring the `operator.read` scope to call the `models.list` method. However, the OpenAI-compatible HTTP endpoint /v1/models, which performs the same function of enumerating model metadata, only validates the bearer token for authentication. It fails to enforce the equivalent `operator.read` scope check.
A malicious or compromised caller possessing only the `operator.approvals` scope (which lacks read privileges) can leverage this flaw. When connecting via WebSocket, their attempt to call `models.list` is correctly rejected with a “missing scope: operator.read” error. But when they send a simple GET request to the `/v1/models` HTTP endpoint with the same valid bearer token, the server returns a 200 OK response containing the full list of model metadata. This bypasses the intended least-privilege model, as confirmed on commit 06de515b6c42816b62ec752e1c221cab67b38501. The root cause is the failure to apply a centralized scope-authorization helper to the HTTP compatibility route, leading to policy drift between the WebSocket and HTTP interfaces.

dailycve form

Platform: OpenClaw Gateway
Version: 2026.3.23, main
Vulnerability : AuthZ bypass info
Severity: Medium
date: 2026-03-31

Prediction: Fixed version 2026.3.24

What Undercode Say:

Analytics:

The vulnerability stems from inconsistent enforcement of the `operator.read` scope. The WebSocket path uses `authorizeOperatorScopesForMethod(…)` while the HTTP path uses only token validation. This drift can be detected via static analysis by identifying all HTTP handlers that call model-listing functions but lack a scope-checking wrapper.

Bash Commands / Code:

Reproduce the vulnerability using `curl` with a token that only has operator.approvals:

Attempt models.list over WebSocket (fails)
websocat "ws://target:8080/ws" --header "Authorization: Bearer <approvals_token>" --json '{"method":"models.list"}'
Bypass via HTTP (succeeds)
curl -H "Authorization: Bearer <approvals_token>" "http://target:8080/v1/models"

Test the fix by verifying the HTTP endpoint now enforces the scope:

After patch, this should return 403 Forbidden
curl -H "Authorization: Bearer <approvals_token>" "http://target:8080/v1/models"
This should return 200 OK
curl -H "Authorization: Bearer <read_token>" "http://target:8080/v1/models"

Exploit:

  1. Obtain a bearer token for an operator with only the `operator.approvals` scope.
  2. Send a GET request to the `/v1/models` HTTP endpoint with the token in the `Authorization` header.
  3. Observe the server returns a 200 OK response with the JSON list of model metadata, successfully bypassing the read-scope restriction.

Protection from this CVE

  1. Enforce Read Scope: Apply a scope gate equivalent to `models.list` before serving `/v1/models` and `/v1/models/:id` routes.
  2. Reuse Centralized Helper: Implement the same `authorizeOperatorScopesForMethod(…)` function used by the WebSocket dispatch for all HTTP compatibility endpoints to prevent policy drift.
  3. Add Regression Tests: Introduce negative tests ensuring a caller with `operator.approvals` (without read) is rejected on the HTTP `/v1/models` endpoint, and positive tests verifying `operator.read` is accepted on both interfaces.

Impact

  • Information Disclosure: Callers lacking the `operator.read` scope can enumerate gateway model metadata via HTTP routes.
  • Broken Scope Model: Inconsistent enforcement weakens the least-privilege security posture for operators granted non-read scopes.
  • Privilege Escalation Path: The inconsistency can be chained with other vulnerabilities to further compromise the gateway by first mapping available models.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top