CVE Catalog

CVE-2026-54021

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile — higher than 11% of all known CVEs

Summary

Open WebUI before version 0.9.6 has a vulnerability in Ollama proxy routes where the url_idx parameter is used as a raw index into the OLLAMA_BASE_URLS list. An authenticated user can force a request to any Ollama backend, including internal, privileged, or admin-disabled ones, without proper authorization.

Risk Assessment

The risk involves unauthorized access to sensitive Ollama backends, potentially leading to data leakage, privilege escalation, or exploitation of internal resources.

Recommendation

It is recommended to immediately upgrade Open WebUI to version 0.9.6 or later, which fixes this vulnerability.

Original NVD description (English source)

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, several direct, index-addressed Ollama proxy routes accept a caller-supplied url_idx path parameter and use it as a raw index into the admin-configured OLLAMA_BASE_URLS list. Access control on these routes validates only whether the user may use the requested model, never which backend the request is routed to. Any authenticated user can append an arbitrary url_idx to force their request onto an Ollama backend they were never authorized to reach, including internal, higher-privilege, or explicitly admin-disabled backends. This vulnerability is fixed in 0.9.6.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS