Impact
Open WebUI is a self‑hosted artificial intelligence platform that runs offline. Before version 0.9.6, several direct, index‑addressed Ollama proxy routes accept a caller‑supplied url_idx path segment and use it as a raw index into the admin‑configured OLLAMA_BASE_URLS list. Access control on those routes validates only whether the user is allowed to use the requested model; it does not verify which backend the request ends up on. As a result, any authenticated user can append an arbitrary url_idx value to force their request onto an Ollama backend they were never authorized to reach, including internal, higher‑privilege, or explicitly admin‑disabled backends. This flaw allows the application to direct traffic to unauthorized backends, potentially exposing sensitive backend services or enabling further internal attacks. This is a CWE‑863 authorization bypass.
Affected Systems
Versions of Open WebUI prior to 0.9.6 are impacted. The vulnerability is fixed in version 0.9.6. No additional operational environments are specified beyond the general use case of the self‑hosted AI platform.
Risk and Exploitability
The CVSS score of 6.3 indicates a medium severity. No EPSS data is available, so the likelihood of exploitation cannot be quantified from the advisory alone. The vulnerability is not listed in the CISA KEV catalog. The flaw permits any authenticated user to choose an arbitrary backend, and the attack vector is internal. Based on the description, it is inferred that the attack vector involves an authenticated user's request to the Open WebUI instance. An attacker who is able to authenticate to the application can redirect traffic to unauthorized backends. While there is no public exploit known at the moment, the vulnerability could be leveraged to access sensitive backend services or facilitate subsequent internal attacks.
OpenCVE Enrichment
Github GHSA