Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54021

CVE-2026-54021: Open WebUI Auth Bypass Vulnerability

CVE-2026-54021 is an authentication bypass flaw in Open WebUI that allows authenticated users to access unauthorized Ollama backends via url_idx manipulation. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-54021 Overview

CVE-2026-54021 is an authorization flaw in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. Versions prior to 0.9.6 expose direct, index-addressed Ollama proxy routes that accept a caller-supplied url_idx path parameter. The application uses this value as a raw index into the admin-configured OLLAMA_BASE_URLS list without verifying the caller's authorization to reach the selected backend. Access control only validates whether the user may use the requested model. Any authenticated user can append an arbitrary url_idx to route requests onto Ollama backends they were never authorized to reach. The vulnerability is tracked under [CWE-863] Incorrect Authorization and is fixed in version 0.9.6.

Critical Impact

Authenticated users can pivot to internal, higher-privilege, or admin-disabled Ollama backends by manipulating a path parameter, breaking backend isolation enforced by the administrator.

Affected Products

  • Open WebUI versions prior to 0.9.6
  • Self-hosted Open WebUI deployments with multiple configured OLLAMA_BASE_URLS
  • Open WebUI instances exposing index-addressed Ollama proxy routes

Discovery Timeline

  • 2026-06-23 - CVE-2026-54021 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-54021

Vulnerability Analysis

Open WebUI exposes several Ollama proxy endpoints that take a url_idx path parameter. The handler uses that integer directly as an index into the administrator-configured OLLAMA_BASE_URLS array. The authorization layer inspects only the requested model identifier and confirms the caller can invoke that model. It performs no check tying the model or the user's role to the selected backend index.

An authenticated low-privilege user can therefore append any valid url_idx value to direct the proxied request at any backend in the list. This includes internal Ollama instances intended for administrators, backends explicitly disabled in the admin UI, and instances reachable only from the server's internal network. The flaw enables a server-side authorization bypass with characteristics similar to broken object-level authorization. See the GitHub Security Advisory GHSA-9rpj-v7hf-vv2w for vendor details.

Root Cause

The root cause is incorrect authorization on the index-addressed proxy routes. The code trusts the url_idx path parameter as a routing decision rather than treating it as user-supplied input requiring authorization. Per-model access checks are decoupled from per-backend access checks, so backend selection escapes policy enforcement entirely.

Attack Vector

The attack vector is network-based and requires only a valid authenticated session. An attacker sends a normal Ollama proxy request through Open WebUI and appends or modifies the url_idx path segment to point at an unauthorized backend index. No additional privileges, user interaction, or specialized tooling are required. The vulnerability is described in prose because no verified public exploit code is available; refer to the vendor advisory for technical specifics.

Detection Methods for CVE-2026-54021

Indicators of Compromise

  • Requests to Ollama proxy endpoints containing unusual or out-of-range url_idx path values
  • Application logs showing the same authenticated user issuing requests cycling through multiple url_idx values
  • Outbound connections from the Open WebUI host to internal Ollama backends that should be unreachable from standard user sessions
  • Traffic to Ollama backends that administrators have disabled in the Open WebUI configuration

Detection Strategies

  • Parse Open WebUI access logs for proxy routes that include a url_idx parameter and correlate the index against the user's expected backend scope
  • Alert on authenticated non-admin accounts issuing requests with multiple distinct url_idx values within a short window
  • Compare network flow records from the Open WebUI server against the documented list of user-permitted Ollama backends

Monitoring Recommendations

  • Enable verbose logging on Open WebUI proxy handlers, capturing user identity, model identifier, and resolved backend URL
  • Forward Open WebUI and reverse-proxy logs to a centralized analytics platform for retrospective hunting on url_idx abuse
  • Monitor egress from the Open WebUI host to each configured Ollama backend and baseline expected per-user destinations

How to Mitigate CVE-2026-54021

Immediate Actions Required

  • Upgrade Open WebUI to version 0.9.6 or later, where the authorization check has been corrected
  • Audit the OLLAMA_BASE_URLS configuration and remove any entries that are not intended to be reachable by non-admin users
  • Review historical access logs for evidence of url_idx manipulation by non-admin accounts
  • Rotate any sensitive credentials or model API keys configured on internal Ollama backends that may have been reached

Patch Information

The vendor fixed CVE-2026-54021 in Open WebUI 0.9.6. The patch enforces backend-level authorization on the index-addressed Ollama proxy routes so that the caller-supplied url_idx cannot be used to reach backends outside the user's allowed scope. See the Open WebUI Security Advisory GHSA-9rpj-v7hf-vv2w for the official fix notes.

Workarounds

  • Restrict Open WebUI to trusted users only until the upgrade to 0.9.6 can be completed
  • Place a reverse proxy in front of Open WebUI that strips or validates the url_idx path segment on Ollama proxy routes
  • Configure network controls so the Open WebUI host can only reach Ollama backends that all authenticated users are permitted to use
  • Temporarily reduce OLLAMA_BASE_URLS to a single backend to eliminate cross-backend pivot opportunities
bash
# Configuration example: upgrade Open WebUI via pip
pip install --upgrade open-webui>=0.9.6

# Verify installed version
open-webui --version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.