GHSA-9RPJ-V7HF-VV2W
Vulnerability from github – Published: 2026-06-17 18:01 – Updated: 2026-06-17 18:01Summary
Several direct, index-addressed Ollama proxy routes accept a caller-supplied url_idx
path parameter and use it as a raw index into the admin-configured OLLAMA_BASE_URLS
list. Access control on these routes validates only whether the user may use the
requested model, never which backend the request is routed to. Any authenticated
user can append an arbitrary url_idx to force their request onto an Ollama backend
they were never authorized to reach, including internal, higher-privilege, or
explicitly admin-disabled backends.
Affected endpoints
All indexed Ollama routes that resolve the backend through get_ollama_url():
POST /ollama/api/chat/{url_idx}
POST /ollama/api/generate/{url_idx}
POST /ollama/api/embed/{url_idx}
POST /ollama/api/embeddings/{url_idx}
POST /ollama/v1/chat/completions/{url_idx}
POST /ollama/v1/completions/{url_idx}
POST /ollama/v1/messages/{url_idx}
POST /ollama/v1/responses/{url_idx}
Root cause
backend/open_webui/routers/ollama.py — get_ollama_url() consults the
model-to-backend allow-list (OLLAMA_MODELS[model]["urls"]) only when url_idx is
omitted. When the caller supplies url_idx, that mapping is skipped and the value is
used directly as an index:
async def get_ollama_url(request: Request, model: str, url_idx: Optional[int] = None):
if url_idx is None:
models = request.app.state.OLLAMA_MODELS
if model not in models:
raise HTTPException(...)
url_idx = random.choice(models[model].get("urls", []))
url = request.app.state.config.OLLAMA_BASE_URLS[url_idx] # caller-controlled, no authz
return url, url_idx
The outbound request is then sent to that backend using the backend's own configured
API key. Backends an admin has disabled (OLLAMA_API_CONFIGS["<idx>"].enable = false)
are hidden from model discovery but remain reachable through the indexed route, because
the disabled state is never re-checked at request time.
Impact
A verified, non-admin user with read access to any single model can: - route requests to internal / higher-capability / restricted Ollama backends in multi-backend deployments, bypassing backend-level isolation; - reach backends the admin has explicitly disabled; - have those requests authenticated with the target backend's configured API key (the key is used server-side; it is not returned to the attacker); - consume the restricted backend's compute.
There is no cross-user data disclosure and no exfiltration of the backend credential itself; the impact is unauthorized access to, and use of, restricted backend resources.
Affected / Patched
- Affected:
<= 0.9.5 - Patched:
>= 0.9.6
Fix
0.9.6 adds validate_ollama_backend_idx(), invoked on every indexed route (directly and
via get_ollama_url()), which returns 403 for any non-admin caller-supplied url_idx
that is not in the requested model's allowed urls. Because disabled backends are absent
from every model's urls, the same check also blocks routing to disabled backends.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.5"
},
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54021"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-17T18:01:50Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nSeveral direct, index-addressed Ollama proxy routes accept a caller-supplied `url_idx`\npath parameter and use it as a raw index into the admin-configured `OLLAMA_BASE_URLS`\nlist. Access control on these routes validates only whether the user may use the\nrequested *model*, never which *backend* the request is routed to. Any authenticated\nuser can append an arbitrary `url_idx` to force their request onto an Ollama backend\nthey were never authorized to reach, including internal, higher-privilege, or\nexplicitly admin-disabled backends.\n\n## Affected endpoints\n\nAll indexed Ollama routes that resolve the backend through `get_ollama_url()`:\n\n```\nPOST /ollama/api/chat/{url_idx}\nPOST /ollama/api/generate/{url_idx}\nPOST /ollama/api/embed/{url_idx}\nPOST /ollama/api/embeddings/{url_idx}\nPOST /ollama/v1/chat/completions/{url_idx}\nPOST /ollama/v1/completions/{url_idx}\nPOST /ollama/v1/messages/{url_idx}\nPOST /ollama/v1/responses/{url_idx}\n```\n\n## Root cause\n\n`backend/open_webui/routers/ollama.py` \u2014 `get_ollama_url()` consults the\nmodel-to-backend allow-list (`OLLAMA_MODELS[model][\"urls\"]`) only when `url_idx` is\nomitted. When the caller supplies `url_idx`, that mapping is skipped and the value is\nused directly as an index:\n\n```python\nasync def get_ollama_url(request: Request, model: str, url_idx: Optional[int] = None):\n if url_idx is None:\n models = request.app.state.OLLAMA_MODELS\n if model not in models:\n raise HTTPException(...)\n url_idx = random.choice(models[model].get(\"urls\", []))\n url = request.app.state.config.OLLAMA_BASE_URLS[url_idx] # caller-controlled, no authz\n return url, url_idx\n```\n\nThe outbound request is then sent to that backend using the backend\u0027s own configured\nAPI key. Backends an admin has disabled (`OLLAMA_API_CONFIGS[\"\u003cidx\u003e\"].enable = false`)\nare hidden from model discovery but remain reachable through the indexed route, because\nthe disabled state is never re-checked at request time.\n\n## Impact\n\nA verified, non-admin user with read access to any single model can:\n- route requests to internal / higher-capability / restricted Ollama backends in\n multi-backend deployments, bypassing backend-level isolation;\n- reach backends the admin has explicitly disabled;\n- have those requests authenticated with the target backend\u0027s configured API key\n (the key is used server-side; it is not returned to the attacker);\n- consume the restricted backend\u0027s compute.\n\nThere is no cross-user data disclosure and no exfiltration of the backend credential\nitself; the impact is unauthorized access to, and use of, restricted backend resources.\n\n## Affected / Patched\n\n- Affected: `\u003c= 0.9.5`\n- Patched: `\u003e= 0.9.6`\n\n## Fix\n\n0.9.6 adds `validate_ollama_backend_idx()`, invoked on every indexed route (directly and\nvia `get_ollama_url()`), which returns 403 for any non-admin caller-supplied `url_idx`\nthat is not in the requested model\u0027s allowed `urls`. Because disabled backends are absent\nfrom every model\u0027s `urls`, the same check also blocks routing to disabled backends.",
"id": "GHSA-9rpj-v7hf-vv2w",
"modified": "2026-06-17T18:01:50Z",
"published": "2026-06-17T18:01:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-9rpj-v7hf-vv2w"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.