Skip to main content

Open WebUI EUVDEUVD-2026-38522

| CVE-2026-54021 MEDIUM
Incorrect Authorization (CWE-863)
2026-06-17 https://github.com/open-webui/open-webui GHSA-9rpj-v7hf-vv2w
6.3
CVSS 3.1 · Vendor: https://github.com/open-webui/open-webui
Share

Severity by source

Vendor (https://github.com/open-webui/open-webui) PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
6.3 MEDIUM

PR:L because a valid authenticated account is mandatory; C/I/A all Low because impact is unauthorized backend access without credential exfiltration, data disclosure, or scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/open-webui/open-webui).

CVSS VectorVendor: https://github.com/open-webui/open-webui

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 01:53 vuln.today
Analysis Generated
Jun 18, 2026 - 01:53 vuln.today

DescriptionCVE.org

Summary

Several direct, index-addressed Ollama proxy routes accept a caller-supplied url_idx path parameter and use it as a raw index into the admin-configured OLLAMA_BASE_URLS list. Access control on these routes validates only whether the user may use the requested *model*, never which *backend* the request is routed to. Any authenticated user can append an arbitrary url_idx to force their request onto an Ollama backend they were never authorized to reach, including internal, higher-privilege, or explicitly admin-disabled backends.

Affected endpoints

All indexed Ollama routes that resolve the backend through get_ollama_url():

POST /ollama/api/chat/{url_idx}
POST /ollama/api/generate/{url_idx}
POST /ollama/api/embed/{url_idx}
POST /ollama/api/embeddings/{url_idx}
POST /ollama/v1/chat/completions/{url_idx}
POST /ollama/v1/completions/{url_idx}
POST /ollama/v1/messages/{url_idx}
POST /ollama/v1/responses/{url_idx}

Root cause

backend/open_webui/routers/ollama.py - get_ollama_url() consults the model-to-backend allow-list (OLLAMA_MODELS[model]["urls"]) only when url_idx is omitted. When the caller supplies url_idx, that mapping is skipped and the value is used directly as an index:

python
async def get_ollama_url(request: Request, model: str, url_idx: Optional[int] = None):
    if url_idx is None:
        models = request.app.state.OLLAMA_MODELS
        if model not in models:
            raise HTTPException(...)
        url_idx = random.choice(models[model].get("urls", []))
    url = request.app.state.config.OLLAMA_BASE_URLS[url_idx]
# caller-controlled, no authz
    return url, url_idx

The outbound request is then sent to that backend using the backend's own configured API key. Backends an admin has disabled (OLLAMA_API_CONFIGS["<idx>"].enable = false) are hidden from model discovery but remain reachable through the indexed route, because the disabled state is never re-checked at request time.

Impact

A verified, non-admin user with read access to any single model can:

  • route requests to internal / higher-capability / restricted Ollama backends in

multi-backend deployments, bypassing backend-level isolation;

  • reach backends the admin has explicitly disabled;
  • have those requests authenticated with the target backend's configured API key

(the key is used server-side; it is not returned to the attacker);

  • consume the restricted backend's compute.

There is no cross-user data disclosure and no exfiltration of the backend credential itself; the impact is unauthorized access to, and use of, restricted backend resources.

Affected / Patched

  • Affected: <= 0.9.5
  • Patched: >= 0.9.6

Fix

0.9.6 adds validate_ollama_backend_idx(), invoked on every indexed route (directly and via get_ollama_url()), which returns 403 for any non-admin caller-supplied url_idx that is not in the requested model's allowed urls. Because disabled backends are absent from every model's urls, the same check also blocks routing to disabled backends.

AnalysisAI

Incorrect authorization in Open WebUI versions 0.9.5 and earlier allows any authenticated non-admin user to route LLM inference requests to arbitrary configured Ollama backends - including internally restricted, higher-privilege, or admin-disabled instances - by supplying a raw integer url_idx path parameter on eight indexed proxy routes. The flaw bypasses backend-level access isolation entirely: model authorization is checked, but backend authorization is silently skipped when url_idx is caller-supplied, and disabled backends remain reachable because their disabled state is never re-evaluated at request time. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate as low-privilege Open WebUI user
Delivery
Identify indexed Ollama route pattern with url_idx path parameter
Exploit
Enumerate backend indices by iterating url_idx values
Install
Craft POST request targeting restricted or disabled backend index
C2
Server skips backend authorization check, resolves target URL directly
Execute
Request forwarded to restricted Ollama backend with its configured API key
Impact
Unauthorized compute consumed on restricted backend

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated user account on the Open WebUI instance (CVSS PR:L confirmed). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) accurately reflects the attack profile: network-reachable, low complexity, requiring only a valid user account, with moderate but bounded impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated but non-admin Open WebUI user, knowing they have legitimate access to model `llama3` on backend index 0, sends a POST request to `/ollama/api/chat/2` with a valid `llama3` model payload. The server validates model-level access (passes), skips backend authorization because `url_idx=2` is caller-supplied, resolves `OLLAMA_BASE_URLS[2]` to a restricted internal Ollama instance, and forwards the request authenticated with that backend's configured API key. …
Remediation Upgrade open-webui to version 0.9.6 or later, which is the vendor-released patch (confirmed by GitHub Security Advisory GHSA-9rpj-v7hf-vv2w). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

EUVD-2026-38522 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy