Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The /responses endpoint in the OpenAI router accepts any authenticated user and forwards requests directly to upstream LLM providers without enforcing per-model access control. While the primary chat completion endpoint (generate_chat_completion) checks model ownership, group membership, and AccessGrants before allowing a request, the /responses proxy only validates that the user has a valid session via get_verified_user.
This allows any authenticated user - regardless of role or group assignment - to interact with any model configured on the instance by sending a POST request to /api/openai/responses with an arbitrary model ID.
Impact
As per OWASP TOP 10 LLM:
- Model Denial of Service (OWASP LLM04): An unauthorized user can submit resource-intensive requests to expensive models (e.g., o1-pro, GPT-4o) that were explicitly restricted by the administrator. In shared deployments, this can exhaust API budgets or rate limits, causing total service disruption for all legitimate users.
- Model Theft (OWASP LLM10): If the instance proxies access to fine-tuned or self-hosted models, unauthorized users can freely interact with them, enabling capability extraction or model distillation without authorization.
- Access Policy Bypass: Administrators lose the ability to enforce cost-tier restrictions, team-based model assignments, or compliance boundaries through the existing access control system.
The endpoint is a raw passthrough proxy and does not resolve workspace model configurations (system prompts, knowledge bases, RAG pipelines). Therefore, workspace-specific confidential data is not directly exposed through this vector.
PR: https://github.com/open-webui/open-webui/pull/23481
AnalysisAI
Open WebUI versions through 0.8.12 allow any authenticated user to bypass model access controls and interact with restricted LLM models via the /api/openai/responses endpoint. The vulnerability permits low-privilege users to consume expensive models (GPT-4o, o1-pro) restricted by administrators, enabling budget exhaustion and denial of service against legitimate users in multi-tenant deployments. Publicly available exploit code exists via GitHub PR #23481. Vendor-released patch available in version 0.9.0. CVSS 7.1 (High) reflects network-accessible attack with low complexity requiring only basic authentication, yielding high availability impact and low confidentiality impact.
Technical ContextAI
Open WebUI is a Python-based web interface (distributed via PyPI as pkg:pip/open-webui) that proxies requests to upstream LLM providers including OpenAI, Anthropic, and self-hosted models. The platform implements role-based access control (RBAC) with user roles, group memberships, and AccessGrants to enforce per-model authorization. The primary chat completion endpoints (generate_chat_completion, generate_openai_completion) correctly validate model access by checking user ownership, group membership, and explicit grants before forwarding requests. However, the /responses endpoint in routers/openai.py only validates session tokens via get_verified_user without invoking the access control logic. This creates a parallel code path that bypasses the authorization layer entirely. The vulnerability maps to CWE-284 (Improper Access Control), a class of authorization flaws where authentication is present but permission checks are missing or incomplete. The GitHub PR diff shows the fix introduces a centralized check_model_access() function called before proxying requests, consolidating previously duplicated authorization logic across all endpoints.
RemediationAI
Upgrade to Open WebUI version 0.9.0 immediately, which introduces centralized access control via the check_model_access() function across all proxy endpoints including /responses (vendor advisory: https://github.com/open-webui/open-webui/security/advisories/GHSA-hp5m-24vp-vq2q, patch PR: https://github.com/open-webui/open-webui/pull/23481). For environments unable to upgrade immediately, implement compensating controls by restricting network access to the /api/openai/responses endpoint via reverse proxy rules (e.g., nginx location blocks returning 403 for non-admin users) or WAF policies. This workaround prevents exploitation but does not fix the underlying authorization gap and may break legitimate functionality if the responses endpoint is actively used. Alternatively, disable user registration and limit instance access to trusted administrators only, converting to single-user mode until patching is feasible. Review API usage logs for suspicious POST requests to /api/openai/responses with model IDs outside assigned user permissions to detect potential exploitation. The patch has no known side effects and does not alter API contracts or configuration requirements.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30624
GHSA-hp5m-24vp-vq2q