Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, several direct, index-addressed Ollama proxy routes accept a caller-supplied url_idx path parameter and use it as a raw index into the admin-configured OLLAMA_BASE_URLS list. Access control on these routes validates only whether the user may use the requested model, never which backend the request is routed to. Any authenticated user can append an arbitrary url_idx to force their request onto an Ollama backend they were never authorized to reach, including internal, higher-privilege, or explicitly admin-disabled backends. This vulnerability is fixed in 0.9.6.
Published: 2026-06-23
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open WebUI is a self‑hosted artificial intelligence platform that runs offline. Before version 0.9.6, several direct, index‑addressed Ollama proxy routes accept a caller‑supplied url_idx path segment and use it as a raw index into the admin‑configured OLLAMA_BASE_URLS list. Access control on those routes validates only whether the user is allowed to use the requested model; it does not verify which backend the request ends up on. As a result, any authenticated user can append an arbitrary url_idx value to force their request onto an Ollama backend they were never authorized to reach, including internal, higher‑privilege, or explicitly admin‑disabled backends. This flaw allows the application to direct traffic to unauthorized backends, potentially exposing sensitive backend services or enabling further internal attacks. This is a CWE‑863 authorization bypass.

Affected Systems

Versions of Open WebUI prior to 0.9.6 are impacted. The vulnerability is fixed in version 0.9.6. No additional operational environments are specified beyond the general use case of the self‑hosted AI platform.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity. No EPSS data is available, so the likelihood of exploitation cannot be quantified from the advisory alone. The vulnerability is not listed in the CISA KEV catalog. The flaw permits any authenticated user to choose an arbitrary backend, and the attack vector is internal. Based on the description, it is inferred that the attack vector involves an authenticated user's request to the Open WebUI instance. An attacker who is able to authenticate to the application can redirect traffic to unauthorized backends. While there is no public exploit known at the moment, the vulnerability could be leveraged to access sensitive backend services or facilitate subsequent internal attacks.

Generated by OpenCVE AI on June 24, 2026 at 13:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open WebUI to version 0.9.6 or later to address the CWE‑863 authorization flaw and review or disable unused or internal Ollama backends in the admin configuration
  • Monitor user activity for anomalous url_idx usage to detect potential unauthorized backend selection
  • Configure firewall or reverse proxy rules to restrict which Ollama backends can be reached by the Open WebUI server

Generated by OpenCVE AI on June 24, 2026 at 13:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9rpj-v7hf-vv2w Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter
History

Fri, 26 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, several direct, index-addressed Ollama proxy routes accept a caller-supplied url_idx path parameter and use it as a raw index into the admin-configured OLLAMA_BASE_URLS list. Access control on these routes validates only whether the user may use the requested model, never which backend the request is routed to. Any authenticated user can append an arbitrary url_idx to force their request onto an Ollama backend they were never authorized to reach, including internal, higher-privilege, or explicitly admin-disabled backends. This vulnerability is fixed in 0.9.6.
Title Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}


Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T19:21:06.832Z

Reserved: 2026-06-11T16:34:11.637Z

Link: CVE-2026-54021

cve-icon Vulnrichment

Updated: 2026-06-26T19:21:03.177Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T14:00:07Z

Weaknesses