Open WebUI Access Control Vulnerability in OpenAI Router Responses Endpoint

A vulnerability exists in Open WebUI versions through 0.8.12, specifically within the OpenAI router's /responses endpoint. This endpoint allows any authenticated user to send requests to upstream LLM providers without proper access control for individual models. Unlike the main chat completion endpoint, which verifies model ownership and group membership, the /responses proxy only checks for a valid user session. As a result, authenticated users can interact with any model available on the instance by sending a POST request to /api/openai/responses with a chosen model ID. This issue could lead to unauthorized access and interaction with restricted models, causing potential service disruptions or unauthorized extraction of model capabilities.

Impact

Exploitation of this vulnerability allows authenticated users to bypass access controls, potentially leading to unauthorized interactions with restricted models. This could cause service disruptions by exhausting API budgets or rate limits, especially in shared deployments. Additionally, if fine-tuned or self-hosted models are accessed, it could enable unauthorized capability extraction or model distillation.

Remediation

Users can upgrade to Open WebUI version 0.9.0 or later to address this vulnerability.