Description
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The normal chat route resolves arena models before the final chat dispatch and therefore re-checks the selected underlying model. The task routes call utils.chat.generate_chat_completion() directly. In that direct path, arena fallback resolution happens after the wrapper access check and then recurses with bypass_filter=True, skipping the selected submodel's access check. This issue is fixed in version 0.10.0.
Published: 2026-07-09
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in the Open WebUI platform lies in the arena task endpoints that bypass the model access checks. When an authenticated non-admin user with read access to an arena wrapper model invokes a task endpoint such as /api/v1/tasks/moa/completions, the platform incorrectly resolves the underlying model after the wrapper access check. In this direct path, the fallback resolution skips the final sub-model authorization and permits the user to interact with a model they should not be permitted to use. This results in unauthorized manipulation of a protected AI model and can expose confidential model data or misuse in downstream applications. The flaw is a case of Missing Access Control (CWE‑862).

Affected Systems

This issue affects the open-webui platform from version 0.8.12 through 0.9.x and up to, but not including, 0.10.0. Users running any release in that range are vulnerable and should upgrade to 0.10.0 or later.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no documented public exploitation at this time. Nonetheless, the attack requires only an authenticated session with read the bypass by simply invoking the exposed API endpoints. The presence of the bypass on the task routes removes the protective secondary model check, dramatically widening the potential impact.

Generated by OpenCVE AI on July 10, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the open-webui deployment to version 0.10.0 or later.
  • Restrict the usage of task endpoints (/api/v1/tasks/*) to users with administrative rights or disable them entirely in environments where model isolation is critical.
  • Re users only to authorized roles.

Generated by OpenCVE AI on July 10, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Thu, 09 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 17:15:00 +0000

Type Values Removed Values Added
Description Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The normal chat route resolves arena models before the final chat dispatch and therefore re-checks the selected underlying model. The task routes call utils.chat.generate_chat_completion() directly. In that direct path, arena fallback resolution happens after the wrapper access check and then recurses with bypass_filter=True, skipping the selected submodel's access check. This issue is fixed in version 0.10.0.
Title Open WebUI: Arena task endpoints can bypass underlying model access controls
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L'}


Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-09T18:08:12.064Z

Reserved: 2026-07-02T21:05:02.925Z

Link: CVE-2026-59225

cve-icon Vulnrichment

Updated: 2026-07-09T17:51:19.705Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T13:30:04Z

Weaknesses