Executive Summary

CVE-2026-35619 is an authorization bypass vulnerability in OpenClaw versions before 2026.3.24. The issue exists in the HTTP /v1/models endpoint, which fails to enforce the required operator read scope restrictions. Specifically, attackers who only have the operator.approvals scope can exploit this flaw to enumerate gateway model metadata through the HTTP compatibility route. This bypasses the stricter authorization checks that are enforced in the WebSocket RPC interface, allowing unauthorized access to sensitive model information.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with limited permissions (operator.approvals scope) to bypass normal authorization controls and access gateway model metadata that should require higher privileges (operator.read scope). This weakens the principle of least privilege by enabling unauthorized enumeration of sensitive model information via the HTTP endpoint, potentially exposing internal model details that could be leveraged for further attacks or information gathering.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the HTTP /v1/models endpoint with an operator token that only has the operator.approvals scope and lacks the operator.read scope. If the endpoint returns gateway model metadata despite the limited scope, the system is vulnerable.

A practical detection method is to send an HTTP request to the /v1/models endpoint using a bearer token with operator.approvals scope and observe if model metadata is returned. This can be done using curl or similar HTTP clients.

• Example curl command to test the vulnerability: curl -H "Authorization: Bearer <operator.approvals_token>" https://<openclaw-host>/v1/models
• If the response includes model metadata, the authorization bypass exists.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade OpenClaw to version 2026.3.24 or later, where the vulnerability has been fixed by enforcing the operator.read scope on the HTTP /v1/models endpoint.

Until the upgrade can be applied, consider restricting access to the HTTP /v1/models endpoint to trusted users or networks, or disabling the HTTP compatibility route if possible.

The fix involves reusing the centralized scope-authorization helper to ensure consistent enforcement of operator scopes across both WebSocket and HTTP interfaces.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in OpenClaw (CVE-2026-35619) allows an attacker with limited operator scope (operator.approvals) to bypass authorization checks and enumerate gateway model metadata via the HTTP /v1/models endpoint. This breaks the intended least-privilege access control by allowing unauthorized access to sensitive metadata that should require operator.read scope.

Such an authorization bypass can weaken the enforcement of access controls that are critical for compliance with standards and regulations like GDPR and HIPAA, which mandate strict controls on access to sensitive data and metadata. Unauthorized enumeration of model metadata could lead to exposure of sensitive information or system details that might be protected under these regulations.

Therefore, this vulnerability potentially impacts compliance by undermining the principle of least privilege and proper access control, which are foundational requirements in many regulatory frameworks.

Useful 0 Not Useful 0