CVE-2026-45365 Overview
CVE-2026-45365 is an authorization bypass vulnerability in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. The flaw exposes an internal-only bypass_filter parameter on the /openai/chat/completions and /ollama/api/chat HTTP endpoints through FastAPI query string binding. Any authenticated user can append ?bypass_filter=true to a request and circumvent model access control checks, invoking admin-restricted models without authorization. The issue is tracked under [CWE-285: Improper Authorization] and is fixed in Open WebUI version 0.8.11.
Critical Impact
Authenticated low-privilege users can invoke administrator-restricted AI models, bypassing access policies enforced by the platform.
Affected Products
- Open WebUI versions prior to 0.8.11
- Deployments exposing /openai/chat/completions endpoint
- Deployments exposing /ollama/api/chat endpoint
Discovery Timeline
- 2026-05-15 - CVE-2026-45365 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45365
Vulnerability Analysis
The vulnerability resides in two HTTP request handlers within Open WebUI: /openai/chat/completions and /ollama/api/chat. Both endpoints rely on FastAPI's automatic query string binding to populate function arguments. A parameter named bypass_filter, intended for internal server-to-server invocation, is bound directly from the query string. The handler accepts user-supplied values for this parameter without distinguishing internal callers from external HTTP clients.
When bypass_filter=true is supplied, the request handler skips the model access control evaluation that normally enforces role-based restrictions on which models a user may invoke. Administrators commonly restrict certain models for cost, content policy, or data sensitivity reasons. The bypass nullifies these controls for any authenticated session.
The vulnerability falls under improper authorization (CWE-285) rather than authentication bypass, because a valid session is still required. The flaw is a classic confused deputy where a trusted internal flag is exposed at the HTTP boundary.
Root Cause
The root cause is the lack of separation between internal-only function parameters and externally bindable HTTP inputs. FastAPI's implicit query parameter binding promotes every unannotated function argument into a public input unless explicitly marked otherwise. The bypass_filter flag was treated as an internal control variable but was never excluded from external binding.
Attack Vector
An attacker requires an authenticated account on the target Open WebUI instance. They issue a chat completion request to either affected endpoint and append ?bypass_filter=true to the URL. The server honors the flag, skips authorization checks, and processes the request against any model name the attacker specifies, including admin-restricted models.
No verified public proof-of-concept code is published. Refer to the GitHub Security Advisory GHSA-v6qf-75pr-p96m for vendor-confirmed technical details.
Detection Methods for CVE-2026-45365
Indicators of Compromise
- HTTP requests to /openai/chat/completions or /ollama/api/chat containing the bypass_filter=true query parameter from non-admin user sessions.
- Audit log entries showing non-admin users invoking models flagged as administrator-restricted.
- Unexpected token consumption or billing spikes tied to restricted upstream models.
Detection Strategies
- Inspect reverse proxy and application access logs for query strings containing bypass_filter. Legitimate traffic should never include this parameter.
- Correlate authenticated user identifiers with model invocation events to identify role-to-model policy violations.
- Deploy a Web Application Firewall (WAF) rule that blocks or alerts on the bypass_filter query parameter at the perimeter.
Monitoring Recommendations
- Forward Open WebUI access and audit logs to a centralized logging platform and alert on the bypass_filter token.
- Baseline per-user model usage and trigger alerts when users invoke models outside their assigned policy set.
- Monitor upstream provider API usage for unexpected calls to high-tier or restricted models.
How to Mitigate CVE-2026-45365
Immediate Actions Required
- Upgrade all Open WebUI instances to version 0.8.11 or later without delay.
- Audit application logs for prior use of the bypass_filter parameter and identify accounts that exercised it.
- Rotate API keys for upstream model providers if log review confirms unauthorized model access.
Patch Information
The maintainers fixed the issue in Open WebUI 0.8.11 by preventing external binding of the bypass_filter parameter. The fix and full advisory are documented in the Open WebUI GHSA-v6qf-75pr-p96m advisory.
Workarounds
- Place a reverse proxy or WAF in front of Open WebUI that strips or rejects requests containing the bypass_filter query parameter.
- Restrict network access to the /openai/chat/completions and /ollama/api/chat endpoints to trusted users until the patch is applied.
- Disable or remove user accounts that do not require LLM access to reduce the authenticated attack surface.
# Example NGINX rule to block requests containing the bypass_filter parameter
if ($args ~* "(^|&)bypass_filter=") {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
