GHSA-68f8-9mhj-h2mp: OpenClaw: HTTP scope bypass enables model enumeration
GHSA-68f8-9mhj-h2mp MEDIUMOpenClaw's HTTP /v1/models endpoint skips the scope enforcement that its WebSocket RPC path applies, letting any authenticated operator—regardless of role—enumerate deployed model metadata. Upgrade to 2026.3.24 immediately; until patched, block /v1/models via reverse proxy ACL for non-read-scoped operators. The deeper concern is that this breaks your operator RBAC model at the transport level—scope boundaries you think are enforced are not.
What is the risk?
Medium. Exploitability is trivial for any authenticated operator—no special tooling required, just swap transport from WebSocket to HTTP with the same bearer token. Impact is constrained to model metadata enumeration rather than code execution or data exfiltration, but the authorization inconsistency is a design-level control failure that erodes the integrity of operator RBAC and satisfies recon objectives for a more targeted follow-on attack against specific model endpoints.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | <= 2026.3.23 | 2026.3.24 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
5 steps-
Patch: upgrade the openclaw npm package to 2026.3.24 or later immediately.
-
Workaround (pre-patch): block HTTP GET /v1/models and /v1/models/:id at the reverse proxy or WAF layer for principals lacking operator.read scope.
-
Audit: review all operator credential assignments and verify scope assignments follow least-privilege—enumerate which operators have non-read scopes currently in use.
-
Detection: alert on HTTP GET /v1/models requests from principals that are simultaneously rejected on WebSocket models.list—this delta pattern signals deliberate bypass behavior.
-
Regression test post-patch: confirm operator.approvals without read is rejected on HTTP /v1/models (positive and negative controls per patch advisory).
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-68f8-9mhj-h2mp?
OpenClaw's HTTP /v1/models endpoint skips the scope enforcement that its WebSocket RPC path applies, letting any authenticated operator—regardless of role—enumerate deployed model metadata. Upgrade to 2026.3.24 immediately; until patched, block /v1/models via reverse proxy ACL for non-read-scoped operators. The deeper concern is that this breaks your operator RBAC model at the transport level—scope boundaries you think are enforced are not.
Is GHSA-68f8-9mhj-h2mp actively exploited?
No confirmed active exploitation of GHSA-68f8-9mhj-h2mp has been reported, but organizations should still patch proactively.
How to fix GHSA-68f8-9mhj-h2mp?
1. Patch: upgrade the openclaw npm package to 2026.3.24 or later immediately. 2. Workaround (pre-patch): block HTTP GET /v1/models and /v1/models/:id at the reverse proxy or WAF layer for principals lacking operator.read scope. 3. Audit: review all operator credential assignments and verify scope assignments follow least-privilege—enumerate which operators have non-read scopes currently in use. 4. Detection: alert on HTTP GET /v1/models requests from principals that are simultaneously rejected on WebSocket models.list—this delta pattern signals deliberate bypass behavior. 5. Regression test post-patch: confirm operator.approvals without read is rejected on HTTP /v1/models (positive and negative controls per patch advisory).
What systems are affected by GHSA-68f8-9mhj-h2mp?
This vulnerability affects the following AI/ML architecture patterns: API gateways, model serving, LLM inference endpoints.
What is the CVSS score for GHSA-68f8-9mhj-h2mp?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0014 Discover AI Model Family AML.T0040 AI Model Inference API Access AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
> Fixed in OpenClaw 2026.3.24, the current shipping release. ## Summary The OpenAI-compatible HTTP endpoint `/v1/models` accepts bearer auth but does not enforce operator method scopes. In contrast, the WebSocket RPC path enforces `operator.read` for `models.list`. A caller connected with `operator.approvals` (no read scope) is rejected for `models.list` (`missing scope: operator.read`) but can still enumerate model metadata through HTTP `/v1/models`. Confirmed on current `main` at commit `06de515b6c42816b62ec752e1c221cab67b38501`. ## Details The WS control-plane path enforces role/scope checks centrally before dispatching methods. For non-admin operators, this includes required method scopes such as `operator.read` for `models.list`. The HTTP compatibility path for `/v1/models` performs bearer authorization and then returns model metadata; it does not apply an equivalent scope check. As reproduced, a caller with only `operator.approvals` can: 1. connect successfully, 2. fail `models.list` over WS with `missing scope: operator.read`, 3. fetch `/v1/models` over HTTP with status 200 and model data. This is a cross-surface authorization inconsistency where the stricter WS policy can be bypassed via HTTP. ## Impact - Callers lacking `operator.read` can still enumerate gateway model metadata through HTTP compatibility routes. - Breaks scope model consistency between WS RPC and HTTP surfaces. - Weakens least-privilege expectations for operators granted non-read scopes. ## Patch Suggestion ### 1) Enforce read scope on `/v1/models` routes Apply a scope gate equivalent to `models.list` before serving `/v1/models` or `/v1/models/:id`. ### 2) Reuse centralized scope-authorization helper for HTTP compatibility endpoints Use the same operator scope logic used by WS dispatch (`authorizeOperatorScopesForMethod(...)`) to prevent policy drift. ### 3) Add regression tests Keep this PoC and add explicit negative/positive controls: - `operator.approvals` without read is rejected on HTTP `/v1/models`. - `operator.read` is accepted on both WS `models.list` and HTTP `/v1/models`. ## Credit Reported by @zpbrent.
Exploitation Scenario
An attacker with a compromised or legitimately-issued operator.approvals bearer token connects to the OpenClaw gateway. The WebSocket models.list call is rejected with 'missing scope: operator.read'. The attacker pivots to HTTP, sending GET /v1/models with the identical bearer token and receives HTTP 200 with full model inventory—names, versions, capability metadata. Armed with this enumeration, the attacker now knows exactly which LLM endpoints are deployed and can mount targeted inference probing, cost-harvesting, or further API enumeration against high-value model endpoints while remaining within their ostensibly limited operator role.
Weaknesses (CWE)
CWE-284 — Improper Access Control: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
- [Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
- [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw