Executive Summary

This vulnerability exists in Open WebUI versions 0.9.5 and earlier, where several Ollama proxy routes accept a user-supplied url_idx path parameter that is used as a direct index into an admin-configured list of backend URLs (OLLAMA_BASE_URLS).

The problem is that while access control checks if a user can use a requested model, it does not verify which backend the request is routed to. This allows any authenticated user to manipulate the url_idx parameter to access internal, higher-privilege, or admin-disabled Ollama backends they are not authorized to reach.

The root cause is that the get_ollama_url() function bypasses model-to-backend mapping when url_idx is provided, using the caller-controlled index directly. This leads to unauthorized access to restricted backend resources.

The vulnerability affects multiple POST routes related to chat, generate, embed, and completions operations and is fixed in version 0.9.6 by adding validation to block non-admin users from accessing unauthorized backends.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow any authenticated user to bypass backend-level access controls and access internal or higher-privilege Ollama backends that they should not be authorized to use.

Such unauthorized access could lead to misuse of backend resources, including compute consumption on restricted backends.

Although backend credentials are not exposed, the ability to access and use unauthorized backends could compromise the intended isolation and security boundaries within the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring requests to the Ollama proxy routes in Open WebUI versions 0.9.5 and earlier that include a user-supplied url_idx path parameter. Specifically, look for authenticated user requests that supply arbitrary url_idx values to endpoints such as chat, generate, embed, and completions operations.

Detection commands could include inspecting web server logs or proxy logs for unusual or unauthorized url_idx values in the request paths. For example, using grep or similar tools to filter requests containing url_idx parameters:

• grep -E "/(chat|generate|embed|completions)/.*url_idx=" /path/to/access.log
• Analyze authenticated user activity for requests with unexpected url_idx values that do not correspond to authorized backends.

Additionally, network monitoring tools can be configured to alert on such suspicious requests targeting the vulnerable endpoints with arbitrary url_idx parameters.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Open WebUI to version 0.9.6 or later, where this vulnerability is fixed.

Version 0.9.6 introduces a validation function, validate_ollama_backend_idx(), which blocks non-admin users from accessing unauthorized or disabled backends by properly checking the url_idx parameter.

Until the upgrade can be applied, restrict access to the affected Ollama proxy routes to trusted users only and monitor for suspicious url_idx usage.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0