Medium severity4.3NVD Advisory· Published Apr 10, 2026· Updated Apr 13, 2026
CVE-2026-35619
CVE-2026-35619
Description
OpenClaw before 2026.3.24 contains an authorization bypass vulnerability in the HTTP /v1/models endpoint that fails to enforce operator read scope requirements. Attackers with only operator.approvals scope can enumerate gateway model metadata through the HTTP compatibility route, bypassing the stricter WebSocket RPC authorization checks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.24 | 2026.3.24 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/openclaw/openclaw/commit/06de515b6c42816b62ec752e1c221cab67b38501nvdPatchWEB
- github.com/advisories/GHSA-68f8-9mhj-h2mpghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-68f8-9mhj-h2mpnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-35619ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-authorization-bypass-via-http-v1-models-endpointnvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.