The vulnerability arises from Open WebUI’s model composition feature, where a composed model can invoke a base model specified by base_model_id. The access control logic only verifies permission for the composed model and never checks the base model’s access control. Furthermore, the API that creates and imports models accepts any base_model_id regardless of the caller’s rights. An attacker with the default permission to create models can therefore create a composed model that points to a restricted base model. When the composed model is queried, the server forwards the request to the restricted base model using the admin‑configured API key, effectively leaking that key and allowing the attacker to use restricted models without authorization. This results in a privilege escalation and unauthorized use of confidential or paid baseline models.

All releases of Open WebUI prior to version 0.9.0 are affected. The issue is specific to the open-webui:open-webui product and applies to any installation that enables model composition with base_model_id, particularly those that provide default model‑creation permissions to non‑admin users.

The CVSS score of 7.6 indicates a high severity vulnerability. Exploitation requires only that the attacker possesses the default capability to create models; no additional credentials or external access are needed. Once a malicious composed model is created, each invocation uses the server’s privileged API key, giving the attacker functional access to the restricted base model. Although the EPSS score is not provided, the vulnerability has not yet appeared in the CISA KEV catalog, suggesting limited exploitation in the wild so far. Nevertheless, the presence of an API key in transit and the potential to generate additional expensive queries warrants timely mitigation.