Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
GET /api/v1/memories/ef is accessible without authentication and executes request.app.state.EMBEDDING_FUNCTION(...). This allows any unauthenticated caller to trigger embedding generation which can lead to direct cost exposure if a paid provider is used. Code reference: backend/open_webui/routers/memories.py (@router.get("/ef") -> calls request.app.state.EMBEDDING_FUNCTION("hello world")).
Details
GET /api/v1/memories/ef is reachable without authentication and triggers request.app.state.EMBEDDING_FUNCTION("hello world"). This crosses an intended security boundary by allowing unauthenticated users to invoke potentially expensive embedding computation and/or paid upstream embedding APIs.
PoC
- Start Open WebUI in default configuration (no special env hardening; default ENABLE_MEMORIES is true).
- From an unauthenticated client (no cookies/Authorization header), call:
curl -i http://\<host\>:\<port\>/api/v1/memories/ef
- Observe the server performs embedding generation and returns a response like:
- HTTP 200 with JSON containing the result.
How it can be abused / attacker actions:
- Send repeated requests to
/api/v1/memories/efto: - consume CPU/GPU resources (DoS)
- generate sustained outbound usage to embedding providers if configured (cost + rate-limit exhaustion)
- degrade latency/availability for legitimate users
Impact
If embeddings are configured to use paid/remote providers (OpenAI/Azure/etc), an attacker can generate unlimited requests and incur charges.
Resolution
Fixed in commit e5035ea31, first released in v0.8.0 (Feb 2026). The /api/v1/memories/ef route was removed entirely. It was a diagnostic/debug-style endpoint that hard-coded "hello world" through the embedding function without any authentication dependency; there was no legitimate caller that depended on it, so deletion was the cleaner fix than retrofitting auth. Users on >= 0.8.0 are not affected.
AnalysisAI
Unauthenticated attackers can invoke the GET /api/v1/memories/ef endpoint in Open WebUI versions ≤0.7.2 to trigger arbitrary embedding generation without authentication, enabling cost-based attacks against paid embedding providers (OpenAI, Azure) and denial-of-service via resource exhaustion. The endpoint executes request.app.state.EMBEDDING_FUNCTION() without any authentication check, allowing unlimited free API calls to downstream embedding services. Vendor-released patch available in v0.8.0 (February 2026) that removes the vulnerable endpoint entirely.
Technical ContextAI
Open WebUI is a Python-based web interface that integrates with large language models and embedding providers. The vulnerable endpoint is defined in backend/open_webui/routers/memories.py as an unauthenticated FastAPI GET route (@router.get("/ef")) that directly invokes request.app.state.EMBEDDING_FUNCTION() - a function pointer to a potentially expensive third-party embedding service (e.g., OpenAI Embeddings API, Azure OpenAI). The endpoint was a diagnostic/debug-style fixture that hardcoded the input string "hello world" and had no legitimate caller dependency. CWE-862 (Missing Authorization) classifies the root cause: the route handler lacks any authentication middleware or permission check before invoking privileged operations (calling paid embedding APIs). The vulnerability exists because the memories router endpoint was never gated by the authentication decorators applied to other sensitive endpoints in the codebase.
RemediationAI
Vendor-released patch: upgrade Open WebUI to version 0.8.0 or later. The fix removes the entire /api/v1/memories/ef endpoint (commit e5035ea31). No configuration option exists to disable only this endpoint in ≤0.7.2; the endpoint is hardcoded into the memories router and cannot be conditionally deactivated. If upgrading is not immediately possible, implement network-layer mitigation: (1) restrict HTTP access to /api/v1/memories/ef at the reverse proxy or firewall to known-safe IP ranges, blocking any external or untrusted clients; this prevents automated cost-injection but may break legitimate use cases if any exist (verify with your deployment); (2) implement strict rate-limiting on all /api/v1/memories/* endpoints to cap embedding API calls per second, reducing blast radius - side effect: legitimate memory operations may be throttled during high load; (3) configure billing alerts and API quotas at the embedding provider level (OpenAI/Azure) to trigger notifications or auto-shutoff if unexpected usage spikes occur. These are temporary measures only; patch application is mandatory for production safety.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30665
GHSA-m69w-p7m4-585j