Description
Description
The NemoClaw-managed Ollama auth proxy on host port 11435 is supposed to be token-gated. Verified on v0.0.38 the proxy enforces tokens only on the OpenAI-compat namespace: a call to /v1/models without an Authorization header returns 401, but a call to /api/tags without an Authorization header returns 200. The proxy binds 0.0.0.0:11435, so any peer with network reach to the host can drive the Ollama-native namespace (/api/generate, /api/chat, /api/pull, /api/delete) without ever obtaining the token. DevTest T5987914 documents this as a negative assertion: "The auth proxy port (11435) MUST require a Bearer token — calls without Authorization: Bearer TOKEN should NOT return 200." Current behaviour violates that assertion for the /api/* namespace.
Environment
Device: Brev VM (shadeform brev-pz811qnfg)
OS: Ubuntu 22.04.5 LTS
Architecture: x86_64
Node.js: v22.22.2
npm: 10.9.7
Docker: 29.1.3 (build f52814d)
OpenShell CLI: openshell 0.0.36
NemoClaw: v0.0.38
OpenClaw: 2026.4.24
Ollama: 0.23.2 (loopback 127.0.0.1:11434)
Auth proxy: listening on 0.0.0.0:11435 (node process started by NemoClaw onboard)
Steps to Reproduce
1. Onboard NemoClaw on a Brev Ubuntu 22.04 VM with Local Ollama (option 7 at [3/8]); leave Ollama at the default 127.0.0.1:11434 bind.
2. Probe both proxy namespaces without a token:
curl -sm 5 -o /dev/null -w "%{http_code}\n" http://127.0.0.1:11435/api/tags
curl -sm 5 -o /dev/null -w "%{http_code}\n" http://127.0.0.1:11435/v1/models
3. Probe again with the Bearer token attached:
TOKEN=$(cat ~/.nemoclaw/ollama-proxy-token)
curl -sm 5 -o /dev/null -w "%{http_code}\n" -H "Authorization: Bearer $TOKEN" http://127.0.0.1:11435/api/tags
curl -sm 5 -o /dev/null -w "%{http_code}\n" -H "Authorization: Bearer $TOKEN" http://127.0.0.1:11435/v1/modelsExpected Result
Every namespace served by the auth proxy requires the Bearer token. Both /api/tags and /v1/models return 401 without a token, and both return 200 with a valid token. The /api/* paths must not be a back door for clients that never obtained the token.
Actual Result
The auth check is only wired up for /v1/. /api/ is open. The four observed return codes:
/api/tags NO token -> 200 (unauthenticated access to Ollama-native API)
/v1/models NO token -> 401
/api/tags WITH token -> 200
/v1/models WITH token -> 200
Because the proxy binds 0.0.0.0:11435, an attacker reachable on the docker bridge, on the same VM subnet, or any UFW-permitted source can list, generate, pull, and delete models via /api/* without authentication.
Bug Details
| Field |
Value |
| Priority |
Unprioritized |
| Action |
Dev - Open - To fix |
| Disposition |
Open issue |
| Module |
Machine Learning - NemoClaw |
| Keyword |
NemoClaw, NEMOCLAW_GH_SYNC_APPROVAL, NemoClaw_Inference, NemoClaw_Security, NemoClaw-SWQA-RelBlckr-Recommended, NemoClaw-SWQA-Sprint4-Blocker |
[NVB#6164262]
Description
Description
The NemoClaw-managed Ollama auth proxy on host port 11435 is supposed to be token-gated. Verified on v0.0.38 the proxy enforces tokens only on the OpenAI-compat namespace: a call to /v1/models without an Authorization header returns 401, but a call to /api/tags without an Authorization header returns 200. The proxy binds 0.0.0.0:11435, so any peer with network reach to the host can drive the Ollama-native namespace (/api/generate, /api/chat, /api/pull, /api/delete) without ever obtaining the token. DevTest T5987914 documents this as a negative assertion: "The auth proxy port (11435) MUST require a Bearer token — calls without Authorization: Bearer TOKEN should NOT return 200." Current behaviour violates that assertion for the /api/* namespace.
Environment
Steps to Reproduce1. Onboard NemoClaw on a Brev Ubuntu 22.04 VM with Local Ollama (option 7 at [3/8]); leave Ollama at the default 127.0.0.1:11434 bind. 2. Probe both proxy namespaces without a token: curl -sm 5 -o /dev/null -w "%{http_code}\n" http://127.0.0.1:11435/api/tags curl -sm 5 -o /dev/null -w "%{http_code}\n" http://127.0.0.1:11435/v1/models 3. Probe again with the Bearer token attached: TOKEN=$(cat ~/.nemoclaw/ollama-proxy-token) curl -sm 5 -o /dev/null -w "%{http_code}\n" -H "Authorization: Bearer $TOKEN" http://127.0.0.1:11435/api/tags curl -sm 5 -o /dev/null -w "%{http_code}\n" -H "Authorization: Bearer $TOKEN" http://127.0.0.1:11435/v1/modelsExpected ResultEvery namespace served by the auth proxy requires the Bearer token. Both /api/tags and /v1/models return 401 without a token, and both return 200 with a valid token. The /api/* paths must not be a back door for clients that never obtained the token.
Actual Result
Because the proxy binds 0.0.0.0:11435, an attacker reachable on the docker bridge, on the same VM subnet, or any UFW-permitted source can list, generate, pull, and delete models via /api/* without authentication.The auth check is only wired up for /v1/. /api/ is open. The four observed return codes:
Bug Details
[NVB#6164262]