Open WebUI Ollama Model Access Control Bypass Vulnerability

A vulnerability exists in Open WebUI versions through 0.8.12, allowing unauthorized access to Ollama models via the /api/generate, /api/embed, /api/embeddings, and /api/show endpoints. These endpoints forward requests to the Ollama backend without verifying if the user has permission to access the specified model. While the endpoints require authentication and validate that the model exists, they do not check access grants. This issue is fixed in version 0.9.0.

Impact

This vulnerability bypasses model access controls on four Ollama proxy endpoints, allowing unauthorized users to access restricted models, consume GPU resources, and view sensitive model details through the /api/show endpoint.

Reproduction

To reproduce this vulnerability, an authenticated user must call the unprotected Ollama proxy endpoints /api/generate, /api/embed, /api/embeddings, or /api/show' with a model name that they are not authorized to access. The requests will be processed without any access control checks, bypassing the intended restrictions.

Remediation

Users can upgrade to Open WebUI version 0.9.0 or later, where this vulnerability has been fixed.