Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.9.6, the application exposes several direct Ollama proxy routes that accept a caller‑supplied url_idx path parameter. This parameter is used as a raw index into the admin‑configured OLLAMA_BASE_URLS list. Access control on these routes validates only whether the authenticated user may use the requested model, and never which backend the request is routed to. Consequently, any authenticated user can append an arbitrary url_idx to force their request onto an Ollama backend that they were never authorized to reach, including internal, higher‑privilege, or explicitly admin‑disabled backends. The flaw permits unauthorized selection of backend services, potentially exposing sensitive data or enabling further internal exploitation.

Open WebUI is a self-hosted AI platform designed to operate entirely offline. Versions before 0.9.6 are impacted; the fix is implemented in version 0.9.6. No specific operational environments are listed beyond the general use case of the platform.

The CVSS score of 6.3 indicates a medium severity. No EPSS data is available, so the likelihood of exploitation cannot be quantified from the advisory alone. The issue is not listed in the CISA KEV catalog. Because the flaw permits any authenticated user to choose an arbitrary backend, the attack vector is internal. An attacker requires only authentication to the application, after which they can redirect traffic to unauthorized backends. While there is no public exploit available at the moment, the vulnerability could be leveraged to access sensitive backend services or facilitate subsequent internal attacks.