OpenClaw Authorization Bypass Vulnerability in HTTP /v1/models Endpoint

A vulnerability allowing authorization bypass has been identified in OpenClaw versions prior to 2026.3.24. This issue resides in the HTTP /v1/models endpoint, which fails to properly enforce operator read scope requirements. As a result, attackers with only the operator.approvals scope can enumerate gateway model metadata through this HTTP compatibility route, circumventing the stricter authorization checks applied in the WebSocket RPC context.

Impact

Exploitation of this vulnerability allows for unauthorized enumeration of gateway model metadata via the HTTP /v1/models endpoint, bypassing WebSocket RPC authorization checks. This creates a discrepancy in authorization enforcement between HTTP and WebSocket interfaces, undermining least-privilege principles for operators with limited scopes.

Reproduction

To reproduce this vulnerability, connect to the OpenClaw server using a bearer token that includes the operator.approvals scope, but not the operator.read scope. Once connected, attempt to list models using the WebSocket 'models.list' method, which will be rejected due to the missing read scope. However, the same operator can successfully fetch model metadata through the HTTP /v1/models endpoint, demonstrating the authorization bypass.

Remediation

Users are advised to update to OpenClaw version 2026.3.24 or later, where this vulnerability has been patched.