Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
PR:L because a valid authenticated account is mandatory; C/I/A all Low because impact is unauthorized backend access without credential exfiltration, data disclosure, or scope change.
Primary rating from Vendor (https://github.com/open-webui/open-webui).
CVSS VectorVendor: https://github.com/open-webui/open-webui
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Summary
Several direct, index-addressed Ollama proxy routes accept a caller-supplied url_idx path parameter and use it as a raw index into the admin-configured OLLAMA_BASE_URLS list. Access control on these routes validates only whether the user may use the requested *model*, never which *backend* the request is routed to. Any authenticated user can append an arbitrary url_idx to force their request onto an Ollama backend they were never authorized to reach, including internal, higher-privilege, or explicitly admin-disabled backends.
Affected endpoints
All indexed Ollama routes that resolve the backend through get_ollama_url():
POST /ollama/api/chat/{url_idx}
POST /ollama/api/generate/{url_idx}
POST /ollama/api/embed/{url_idx}
POST /ollama/api/embeddings/{url_idx}
POST /ollama/v1/chat/completions/{url_idx}
POST /ollama/v1/completions/{url_idx}
POST /ollama/v1/messages/{url_idx}
POST /ollama/v1/responses/{url_idx}Root cause
backend/open_webui/routers/ollama.py - get_ollama_url() consults the model-to-backend allow-list (OLLAMA_MODELS[model]["urls"]) only when url_idx is omitted. When the caller supplies url_idx, that mapping is skipped and the value is used directly as an index:
async def get_ollama_url(request: Request, model: str, url_idx: Optional[int] = None):
if url_idx is None:
models = request.app.state.OLLAMA_MODELS
if model not in models:
raise HTTPException(...)
url_idx = random.choice(models[model].get("urls", []))
url = request.app.state.config.OLLAMA_BASE_URLS[url_idx]
# caller-controlled, no authz
return url, url_idxThe outbound request is then sent to that backend using the backend's own configured API key. Backends an admin has disabled (OLLAMA_API_CONFIGS["<idx>"].enable = false) are hidden from model discovery but remain reachable through the indexed route, because the disabled state is never re-checked at request time.
Impact
A verified, non-admin user with read access to any single model can:
- route requests to internal / higher-capability / restricted Ollama backends in
multi-backend deployments, bypassing backend-level isolation;
- reach backends the admin has explicitly disabled;
- have those requests authenticated with the target backend's configured API key
(the key is used server-side; it is not returned to the attacker);
- consume the restricted backend's compute.
There is no cross-user data disclosure and no exfiltration of the backend credential itself; the impact is unauthorized access to, and use of, restricted backend resources.
Affected / Patched
- Affected:
<= 0.9.5 - Patched:
>= 0.9.6
Fix
0.9.6 adds validate_ollama_backend_idx(), invoked on every indexed route (directly and via get_ollama_url()), which returns 403 for any non-admin caller-supplied url_idx that is not in the requested model's allowed urls. Because disabled backends are absent from every model's urls, the same check also blocks routing to disabled backends.
AnalysisAI
Incorrect authorization in Open WebUI versions 0.9.5 and earlier allows any authenticated non-admin user to route LLM inference requests to arbitrary configured Ollama backends - including internally restricted, higher-privilege, or admin-disabled instances - by supplying a raw integer url_idx path parameter on eight indexed proxy routes. The flaw bypasses backend-level access isolation entirely: model authorization is checked, but backend authorization is silently skipped when url_idx is caller-supplied, and disabled backends remain reachable because their disabled state is never re-evaluated at request time. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated user account on the Open WebUI instance (CVSS PR:L confirmed). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) accurately reflects the attack profile: network-reachable, low complexity, requiring only a valid user account, with moderate but bounded impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated but non-admin Open WebUI user, knowing they have legitimate access to model `llama3` on backend index 0, sends a POST request to `/ollama/api/chat/2` with a valid `llama3` model payload. The server validates model-level access (passes), skips backend authorization because `url_idx=2` is caller-supplied, resolves `OLLAMA_BASE_URLS[2]` to a restricted internal Ollama instance, and forwards the request authenticated with that backend's configured API key. … |
| Remediation | Upgrade open-webui to version 0.9.6 or later, which is the vendor-released patch (confirmed by GitHub Security Advisory GHSA-9rpj-v7hf-vv2w). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38522
GHSA-9rpj-v7hf-vv2w