Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Network-accessible task endpoint requires only low-privilege auth; impact is limited to unauthorized read access to restricted model outputs with no integrity or confirmed availability impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionNVD
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The normal chat route resolves arena models before the final chat dispatch and therefore re-checks the selected underlying model. The task routes call utils.chat.generate_chat_completion() directly. In that direct path, arena fallback resolution happens after the wrapper access check and then recurses with bypass_filter=True, skipping the selected submodel's access check. This issue is fixed in version 0.10.0.
AnalysisAI
Open WebUI versions 0.8.12 through 0.9.x expose a missing authorization flaw that permits authenticated non-admin users to reach restricted underlying AI models by exploiting a code-path divergence in task endpoints. The standard chat route (/api/v1/chat/completions) correctly re-validates submodel access after arena wrapper resolution, but task endpoints such as /api/v1/tasks/moa/completions call utils.chat.generate_chat_completion() directly, triggering arena fallback resolution after the wrapper check passes and recursing with bypass_filter=True - effectively nullifying the submodel access control. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Open WebUI account with non-admin privileges (PR:L) and read access to at least one configured arena wrapper model. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 5.4 Medium (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L) accurately captures the network-accessible, low-complexity nature of the flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated non-admin Open WebUI user who holds read access to an arena wrapper model crafts a POST request to /api/v1/tasks/moa/completions referencing the wrapper model ID. The task endpoint's direct code path passes the wrapper access check, then resolves arena fallback and recurses with bypass_filter=True, silently elevating access to a restricted backend model (such as a premium or governance-controlled LLM) without triggering the submodel authorization gate. … |
| Remediation | Vendor-released patch: Open WebUI 0.10.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Open Webui
View allA vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session
An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the
A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui
A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Sit
Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traver
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a St
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Se
A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. Rated high severity (CV
In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing u
In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handlin
The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF)
In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42639