Improper authorization control for web services In open-webui
Description
Open WebUI's Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show
Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show
Affected Component
Ollama proxy endpoints missing model access control:
backend/open_webui/routers/ollama.py (lines 955-995, generate_completion)
backend/open_webui/routers/ollama.py (lines 835-881, embed)
backend/open_webui/routers/ollama.py (lines 891-937, embeddings)
backend/open_webui/routers/ollama.py (lines 791-820, show_model_info)
Affected Versions
Current main branch (commit 6fdd19bf1) and likely all versions with Ollama model access control support.
Description
Four Ollama proxy endpoints accept any model name from the user and forward the request to the Ollama backend without checking whether the user is authorized to access that model. These endpoints only require get_verified_user (any authenticated non-pending user) and validate that the model exists in the full unfiltered model list, but never check AccessGrants.has_access().
This is in direct contrast with the /ollama/api/chat endpoint (line 1101-1122) which correctly validates model access grants and returns 403 for unauthorized users:
# /api/chat (line 1101-1122) — CORRECTLY checks access if not bypass_filter and user.role == 'user': user_group_ids = {group.id for group in Groups.get_groups_by_member_id(user.id)} if not ( user.id == model_info.user_id or AccessGrants.has_access( user_id=user.id, resource_type='model', resource_id=model_info.id, permission='read',...
CVSS 3.1 Breakdown
Metric | Value | Rationale |
|---|---|---|
Attack Vector | Network (N) | Exploited remotely via API calls |
Attack Complexity | Low (L) | Single API call with a known model name |
Privileges Required | Low (L) | Requires any authenticated user account |
User Interaction | None (N) | No victim interaction required |
Scope | Unchanged (U) | Impact within the Ollama model access boundary |
Confidentiality | Low (L) | /api/show exposes restricted model details including system prompts and parameters |
Integrity | None (N) | No data modification |
Availability | Low (L) | Unauthorized consumption of GPU/compute resources on restricted models |
Attack Scenario
Admin configures model access control, restricting llama3:70b to the "ML Engineers" group. Regular user Alice is only authorized for llama3:8b.
Alice knows the restricted model name (model names are predictable — llama3:70b, mistral:latest, etc.).
Alice calls the unprotected endpoints directly:
# Run completions on restricted model curl -X POST /ollama/api/generate \ -H "Authorization: Bearer <alice_token>" \ -d '{"model": "llama3:70b", "prompt": "..."}' # View restricted model details and system prompt curl -X POST /ollama/api/show \ -H "Authorization: Bearer <alice_token>" \...
All requests succeed and are proxied to Ollama without any access control check.
Impact
Model access control is silently ineffective for four out of five Ollama proxy endpoints
Unauthorized users can consume GPU/compute resources on restricted models (cost and capacity impact in multi-user deployments)
/api/show exposes restricted model configurations including system prompts, parameters, templates, and license information
Admins have a false sense of security — access restrictions appear to work via the main chat interface but are trivially bypassed via direct API calls
Preconditions
Ollama must be configured as a backend
Admin must have configured model access control (not using BYPASS_MODEL_ACCESS_CONTROL=true)
Attacker must know the restricted model name (model names follow predictable conventions)
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 pypi | open-webui | 0.9.0 |
Aliases
References