CVE-2026-59225
Received Received - Intake

Privilege Escalation in Open WebUI via Task Endpoints

Vulnerability report for CVE-2026-59225, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The normal chat route resolves arena models before the final chat dispatch and therefore re-checks the selected underlying model. The task routes call utils.chat.generate_chat_completion() directly. In that direct path, arena fallback resolution happens after the wrapper access check and then recurses with bypass_filter=True, skipping the selected submodel's access check. This issue is fixed in version 0.10.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
open_webui open_webui From 0.10.0 (exc) to 0.10.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows authenticated non-admin users to bypass access controls and access restricted underlying models, potentially exposing confidential information or internal capabilities.

Such unauthorized access to restricted models can lead to confidentiality risks, which may impact compliance with data protection regulations like GDPR and HIPAA that require strict access controls to sensitive data.

Additionally, the vulnerability could result in unauthorized usage of paid model resources and consumption of provider quotas, which may indirectly affect operational compliance and resource governance.

Executive Summary

CVE-2026-59225 is an access control vulnerability in Open WebUI versions 0.8.12 to before 0.10.0. It allows an authenticated non-admin user with read access to an arena wrapper model to bypass access restrictions and interact with restricted underlying models through certain task endpoints like /api/v1/tasks/moa/completions.

The issue arises because the normal chat route properly checks model access before dispatching, but the task endpoints call the chat completion function directly with a parameter that skips the access check on the underlying model. This bypass lets users query restricted models they should not have access to.

The vulnerability is fixed in version 0.10.0 by enforcing proper access checks before allowing fallback to underlying models.

Impact Analysis

This vulnerability can impact you by allowing unauthorized access to restricted AI models within Open WebUI. An authenticated non-admin user with read access to an arena wrapper model can bypass intended access controls and interact with models they should not be able to use.

  • Confidentiality risks: Exposure of restricted models and their internal capabilities.
  • Integrity risks: Unauthorized usage of models, potentially consuming paid model usage or resources.
  • Availability risks: Consumption of provider quotas or resources by unauthorized users, potentially affecting service availability.
Detection Guidance

This vulnerability involves an access control bypass in Open WebUI versions 0.8.12 to 0.9.x, where authenticated non-admin users with read access to an arena wrapper model can access restricted underlying models through task endpoints such as /api/v1/tasks/moa/completions.

To detect exploitation attempts on your system, you can monitor access logs for unusual or unauthorized API calls to task endpoints like /api/v1/tasks/moa/completions by non-admin users.

Suggested commands include searching your server logs for requests to these endpoints, for example using grep:

  • grep "/api/v1/tasks/moa/completions" /path/to/access.log
  • grep -E "(user_id|username)" /path/to/access.log | grep "/api/v1/tasks/moa/completions"

Additionally, review authentication logs to identify non-admin users making requests to these endpoints.

Mitigation Strategies

The vulnerability is fixed in Open WebUI version 0.10.0. The immediate mitigation step is to upgrade your Open WebUI installation to version 0.10.0 or later.

The fix removes the bypass_filter=True flag in the generate_chat_completion() function and enforces proper model access checks before recursive dispatch, preventing unauthorized access to restricted models.

Until you can upgrade, consider restricting access to the vulnerable task endpoints (/api/v1/tasks/moa/completions) to only trusted admin users or disabling these endpoints if possible.

Monitor usage and audit logs for suspicious activity involving these endpoints and non-admin users.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59225. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart