CVE-2026-54021 | Open WebUI is a self-hosted artificial intelligence platform… | CVSS 6.3 MEDIUM

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, several direct, index-addressed Ollama proxy routes accept a caller-supplied url_idx path parameter and use it as a raw index into the admin-configured OLLAMA_BASE_URLS list. Access control on these routes validates only whether the user may use the requested model, never which backend the request is routed to. Any authenticated user can append an arbitrary url_idx to force their request onto an Ollama backend they were never authorized to reach, including internal, higher-privilege, or explicitly admin-disabled backends. This vulnerability is fixed in 0.9.6.

Metadata

CVE ID: CVE-2026-54021
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-11 16:34 UTC
Published: 2026-06-23 16:39 UTC
Last updated: 2026-06-23 16:39 UTC
Primary CWE: CWE-863
CWE-863: Incorrect Authorization
Vendor / Product: open-webui / open-webui
Sources: cve.org · NVD

Severity & Metrics

6.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Affected products (1)

Vendor	Product	Platform	Versions
open-webui	open-webui	—	< 0.9.6

Weakness (CWE)

CWE	Source	Description
CWE-863	cna	CWE-863: Incorrect Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References (1)

https://github.com/open-webui/open-webui/security/advisories/GHSA-9rpj-v7hf-vv2w https://github.com/open-webui/open-webui/security/advisories/GHSA-9rpj-v7hf-vv2w