Skip to content

Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter

Moderate severity GitHub Reviewed Published Jun 11, 2026 in open-webui/open-webui • Updated Jun 17, 2026

Package

pip open-webui (pip)

Affected versions

<= 0.9.5

Patched versions

0.9.6

Description

Summary

Several direct, index-addressed Ollama proxy routes accept a caller-supplied url_idx
path parameter and use it as a raw index into the admin-configured OLLAMA_BASE_URLS
list. Access control on these routes validates only whether the user may use the
requested model, never which backend the request is routed to. Any authenticated
user can append an arbitrary url_idx to force their request onto an Ollama backend
they were never authorized to reach, including internal, higher-privilege, or
explicitly admin-disabled backends.

Affected endpoints

All indexed Ollama routes that resolve the backend through get_ollama_url():

POST /ollama/api/chat/{url_idx}
POST /ollama/api/generate/{url_idx}
POST /ollama/api/embed/{url_idx}
POST /ollama/api/embeddings/{url_idx}
POST /ollama/v1/chat/completions/{url_idx}
POST /ollama/v1/completions/{url_idx}
POST /ollama/v1/messages/{url_idx}
POST /ollama/v1/responses/{url_idx}

Root cause

backend/open_webui/routers/ollama.pyget_ollama_url() consults the
model-to-backend allow-list (OLLAMA_MODELS[model]["urls"]) only when url_idx is
omitted. When the caller supplies url_idx, that mapping is skipped and the value is
used directly as an index:

async def get_ollama_url(request: Request, model: str, url_idx: Optional[int] = None):
    if url_idx is None:
        models = request.app.state.OLLAMA_MODELS
        if model not in models:
            raise HTTPException(...)
        url_idx = random.choice(models[model].get("urls", []))
    url = request.app.state.config.OLLAMA_BASE_URLS[url_idx]   # caller-controlled, no authz
    return url, url_idx

The outbound request is then sent to that backend using the backend's own configured
API key. Backends an admin has disabled (OLLAMA_API_CONFIGS["<idx>"].enable = false)
are hidden from model discovery but remain reachable through the indexed route, because
the disabled state is never re-checked at request time.

Impact

A verified, non-admin user with read access to any single model can:

  • route requests to internal / higher-capability / restricted Ollama backends in
    multi-backend deployments, bypassing backend-level isolation;
  • reach backends the admin has explicitly disabled;
  • have those requests authenticated with the target backend's configured API key
    (the key is used server-side; it is not returned to the attacker);
  • consume the restricted backend's compute.

There is no cross-user data disclosure and no exfiltration of the backend credential
itself; the impact is unauthorized access to, and use of, restricted backend resources.

Affected / Patched

  • Affected: <= 0.9.5
  • Patched: >= 0.9.6

Fix

0.9.6 adds validate_ollama_backend_idx(), invoked on every indexed route (directly and
via get_ollama_url()), which returns 403 for any non-admin caller-supplied url_idx
that is not in the requested model's allowed urls. Because disabled backends are absent
from every model's urls, the same check also blocks routing to disabled backends.

References

@doge-woof doge-woof published to open-webui/open-webui Jun 11, 2026
Published to the GitHub Advisory Database Jun 17, 2026
Reviewed Jun 17, 2026
Last updated Jun 17, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(14th percentile)

Weaknesses

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. Learn more on MITRE.

CVE ID

CVE-2026-54021

GHSA ID

GHSA-9rpj-v7hf-vv2w

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.