CVE-2026-54021
Analyzed Analyzed - Analysis Complete

Open WebUI Ollama Proxy URL Index Misconfiguration

Vulnerability report for CVE-2026-54021, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, several direct, index-addressed Ollama proxy routes accept a caller-supplied url_idx path parameter and use it as a raw index into the admin-configured OLLAMA_BASE_URLS list. Access control on these routes validates only whether the user may use the requested model, never which backend the request is routed to. Any authenticated user can append an arbitrary url_idx to force their request onto an Ollama backend they were never authorized to reach, including internal, higher-privilege, or explicitly admin-disabled backends. This vulnerability is fixed in 0.9.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-26
Generated
2026-07-14
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-12
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openwebui open_webui to 0.9.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Open WebUI versions 0.9.5 and earlier, where several Ollama proxy routes accept a user-supplied url_idx path parameter that is used as a direct index into an admin-configured list of backend URLs (OLLAMA_BASE_URLS).

The problem is that while access control checks if a user can use a requested model, it does not verify which backend the request is routed to. This allows any authenticated user to manipulate the url_idx parameter to access internal, higher-privilege, or admin-disabled Ollama backends they are not authorized to reach.

The root cause is that the get_ollama_url() function bypasses model-to-backend mapping when url_idx is provided, using the caller-controlled index directly. This leads to unauthorized access to restricted backend resources.

The vulnerability affects multiple POST routes related to chat, generate, embed, and completions operations and is fixed in version 0.9.6 by adding validation to block non-admin users from accessing unauthorized backends.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can allow any authenticated user to bypass backend-level access controls and access internal or higher-privilege Ollama backends that they should not be authorized to use.

Such unauthorized access could lead to misuse of backend resources, including compute consumption on restricted backends.

Although backend credentials are not exposed, the ability to access and use unauthorized backends could compromise the intended isolation and security boundaries within the system.

Detection Guidance

This vulnerability can be detected by monitoring requests to the Ollama proxy routes in Open WebUI versions 0.9.5 and earlier that include a user-supplied url_idx path parameter. Specifically, look for authenticated user requests that supply arbitrary url_idx values to endpoints such as chat, generate, embed, and completions operations.

Detection commands could include inspecting web server logs or proxy logs for unusual or unauthorized url_idx values in the request paths. For example, using grep or similar tools to filter requests containing url_idx parameters:

  • grep -E "/(chat|generate|embed|completions)/.*url_idx=" /path/to/access.log
  • Analyze authenticated user activity for requests with unexpected url_idx values that do not correspond to authorized backends.

Additionally, network monitoring tools can be configured to alert on such suspicious requests targeting the vulnerable endpoints with arbitrary url_idx parameters.

Mitigation Strategies

The immediate mitigation step is to upgrade Open WebUI to version 0.9.6 or later, where this vulnerability is fixed.

Version 0.9.6 introduces a validation function, validate_ollama_backend_idx(), which blocks non-admin users from accessing unauthorized or disabled backends by properly checking the url_idx parameter.

Until the upgrade can be applied, restrict access to the affected Ollama proxy routes to trusted users only and monitor for suspicious url_idx usage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54021. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart