GHSA-68f8-9mhj-h2mp: OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope
Summary
OpenClaw has a security inconsistency where the HTTP endpoint `/v1/models` (which serves OpenAI-compatible requests) accepts bearer authentication but doesn't check operator scopes (permissions that control what actions a user can perform), while the WebSocket RPC path correctly requires the `operator.read` scope. This means someone with only `operator.approvals` permission can bypass the scope requirement and view model metadata through the HTTP route, even though they would be rejected over WebSocket.
Solution / Mitigation
Fixed in OpenClaw 2026.3.24, the current shipping release. The patch involves: (1) enforcing read scope on `/v1/models` routes before serving the endpoint, (2) reusing the centralized scope-authorization helper function (`authorizeOperatorScopesForMethod(...)`) that WebSocket already uses for HTTP compatibility endpoints to prevent policy drift, and (3) adding regression tests to verify that `operator.approvals` without read is rejected on HTTP `/v1/models` while `operator.read` is accepted on both WebSocket and HTTP.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-68f8-9mhj-h2mp
First tracked: March 30, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%