Impact
The flaw in the Open WebUI platform lies in the arena task endpoints that bypass the model access checks. When an authenticated non-admin user with read access to an arena wrapper model invokes a task endpoint such as /api/v1/tasks/moa/completions, the platform incorrectly resolves the underlying model after the wrapper access check. In this direct path, the fallback resolution skips the final sub-model authorization and permits the user to interact with a model they should not be permitted to use. This results in unauthorized manipulation of a protected AI model and can expose confidential model data or misuse in downstream applications. The flaw is a case of Missing Access Control (CWE‑862).
Affected Systems
This issue affects the open-webui platform from version 0.8.12 through 0.9.x and up to, but not including, 0.10.0. Users running any release in that range are vulnerable and should upgrade to 0.10.0 or later.
Risk and Exploitability
The CVSS score of 5.4 indicates a medium severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no documented public exploitation at this time. Nonetheless, the attack requires only an authenticated session with read the bypass by simply invoking the exposed API endpoints. The presence of the bypass on the task routes removes the protective secondary model check, dramatically widening the potential impact.
OpenCVE Enrichment