CVE-2026-35619: OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope

March 30, 2026 (updated April 10, 2026)

The OpenAI-compatible HTTP endpoint /v1/models accepts bearer auth but does not enforce operator method scopes.

In contrast, the WebSocket RPC path enforces operator.read for models.list.

A caller connected with operator.approvals (no read scope) is rejected for models.list (missing scope: operator.read) but can still enumerate model metadata through HTTP /v1/models.

Confirmed on current main at commit 06de515b6c42816b62ec752e1c221cab67b38501.

References

github.com/advisories/GHSA-68f8-9mhj-h2mp
github.com/openclaw/openclaw
github.com/openclaw/openclaw/security/advisories/GHSA-68f8-9mhj-h2mp
nvd.nist.gov/vuln/detail/CVE-2026-35619

Code Behaviors & Features

Detect and mitigate CVE-2026-35619 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →