Open WebUI Model Import Endpoint Overwrites Existing Models Without Ownership Validation

A vulnerability in Open WebUI versions prior to 0.9.0 allows users with the 'workspace.models_import' permission to overwrite any existing model in the database through the 'POST /api/v1/models/import' endpoint. The vulnerability arises because the endpoint merges the attacker's payload with existing model data without checking ownership or access grants. This issue bypasses access grant restrictions that are normally enforced on other model mutation endpoints.

Impact

Exploitation of this vulnerability allows for unauthorized modification of model data, including system prompts, base model references, and access grants. This could lead to models behaving in unintended ways, such as responding with attacker-controlled information.

Reproduction

To reproduce this vulnerability, a user with the 'workspace.models_import' permission can send a POST request to the '/api/v1/models/import' endpoint. The request must include a payload that specifies the ID of an existing model. The imported data will overwrite the original model without any ownership checks. This vulnerability can also be reproduced by an admin user, as the permission can be granted to other users.

Remediation

Users are advised to update Open WebUI to version 0.9.0 or later, where this vulnerability has been fixed.