The vulnerability is an access‑control flaw that allows an authenticated user of Open WebUI to append the query string parameter ?bypass_filter=true to certain HTTP endpoints, circumventing the internal model‑access restrictions. This bypass is possible on the /openai/chat/completions and /ollama/api/chat routes before version 0.8.11. The effect is that a non‑admin user can invoke admin‑only models, potentially exposing business data or consuming privileged resources without authorization. The flaw is mapped to CWE‑285, which describes unauthorized privilege escalation via bypassed access controls.

The affected product is Open WebUI from the open‑webui project, specifically versions released earlier than 0.8.11. Versions 0.8.10 and prior expose the bypass_filter query parameter on the relevant API endpoints. The vulnerability does not affect later releases that have removed the parameter from the public API.

The CVSS base score of 5.4 indicates a moderate severity. There is no EPSS data, so the likelihood of exploitation cannot be quantified, but because the flaw requires authenticated access and is only relevant to systems that expose the old API paths, the practical risk is limited to hosts running an insecure version of Open WebUI. The issue is not listed in CISA's KEV catalog, and no exploit is publicly available. Attackers would likely need to compromise valid user credentials or use brand‑new accounts to supply the bypass parameter, which suggests the threat environment is moderate, with the likely attack vector being an authenticated HTTP request to the affected endpoints.