Publish GHSA-68f8-9mhj-h2mp

advisory-database[bot] · advisory-database[bot] · commit 877fa1eb72f3 · 2026-03-30T18:43:01.000Z
diff --git a/advisories/github-reviewed/2026/03/GHSA-68f8-9mhj-h2mp/GHSA-68f8-9mhj-h2mp.json b/advisories/github-reviewed/2026/03/GHSA-68f8-9mhj-h2mp/GHSA-68f8-9mhj-h2mp.json
@@ -0,0 +1,54 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-68f8-9mhj-h2mp",
+  "modified": "2026-03-30T18:41:15Z",
+  "published": "2026-03-30T18:41:15Z",
+  "aliases": [],
+  "summary": "OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope",
+  "details": "> Fixed in OpenClaw 2026.3.24, the current shipping release.\n\n## Summary\n\nThe OpenAI-compatible HTTP endpoint `/v1/models` accepts bearer auth but does not enforce operator method scopes.\n\nIn contrast, the WebSocket RPC path enforces `operator.read` for `models.list`.\n\nA caller connected with `operator.approvals` (no read scope) is rejected for `models.list` (`missing scope: operator.read`) but can still enumerate model metadata through HTTP `/v1/models`.\n\nConfirmed on current `main` at commit `06de515b6c42816b62ec752e1c221cab67b38501`.\n\n## Details\n\nThe WS control-plane path enforces role/scope checks centrally before dispatching methods. For non-admin operators, this includes required method scopes such as `operator.read` for `models.list`.\n\nThe HTTP compatibility path for `/v1/models` performs bearer authorization and then returns model metadata; it does not apply an equivalent scope check.\n\nAs reproduced, a caller with only `operator.approvals` can:\n\n1. connect successfully,\n2. fail `models.list` over WS with `missing scope: operator.read`,\n3. fetch `/v1/models` over HTTP with status 200 and model data.\n\nThis is a cross-surface authorization inconsistency where the stricter WS policy can be bypassed via HTTP.\n\n## Impact\n\n- Callers lacking `operator.read` can still enumerate gateway model metadata through HTTP compatibility routes.\n- Breaks scope model consistency between WS RPC and HTTP surfaces.\n- Weakens least-privilege expectations for operators granted non-read scopes.\n\n## Patch Suggestion\n\n### 1) Enforce read scope on `/v1/models` routes\n\nApply a scope gate equivalent to `models.list` before serving `/v1/models` or `/v1/models/:id`.\n\n### 2) Reuse centralized scope-authorization helper for HTTP compatibility endpoints\n\nUse the same operator scope logic used by WS dispatch (`authorizeOperatorScopesForMethod(...)`) to prevent policy drift.\n\n### 3) Add regression tests\n\nKeep this PoC and add explicit negative/positive controls:\n\n- `operator.approvals` without read is rejected on HTTP `/v1/models`.\n- `operator.read` is accepted on both WS `models.list` and HTTP `/v1/models`.\n\n## Credit\n\nReported by @zpbrent.",
+  "severity": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.24"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.3.23"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-68f8-9mhj-h2mp"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284",
+      "CWE-863"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-30T18:41:15Z",
+    "nvd_published_at": null
+  }
+}
