Open WebUI Model Access Control Bypass Vulnerability

A vulnerability in Open WebUI versions prior to 0.8.11 allows authenticated users to bypass model access control on the OpenAI and Ollama chat API endpoints. This is achieved by appending a 'bypass_filter' query parameter, which is improperly exposed and can be used to invoke admin-restricted models. The issue arises from FastAPI's query string binding, which unintentionally exposes internal parameters to external users.

Impact

Exploitation of this vulnerability allows any authenticated user to access and use admin-restricted models through the server's API keys, bypassing established access controls.

Reproduction

To reproduce this vulnerability, first create a restricted model that is accessible only to admins. Then, authenticate as a regular user who does not have access to the restricted model. Attempt to use the model through the '/openai/chat/completions' endpoint without the bypass_filter parameter, which should result in a '403 Forbidden' response. Next, repeat the request with the bypass_filter parameter set to 'true', which will successfully bypass the access control and allow use of the restricted model.

Remediation

Users can update to Open WebUI version 0.8.11 or later, where this vulnerability has been fixed.