PT-2026-50592 · Pypi · Open-Webui

Published

2026-06-17

·

Updated

2026-06-17

·

CVE-2026-54021

CVSS v3.1

6.3

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Summary

Several direct, index-addressed Ollama proxy routes accept a caller-supplied url idx path parameter and use it as a raw index into the admin-configured OLLAMA BASE URLS list. Access control on these routes validates only whether the user may use the requested model, never which backend the request is routed to. Any authenticated user can append an arbitrary url idx to force their request onto an Ollama backend they were never authorized to reach, including internal, higher-privilege, or explicitly admin-disabled backends.

Affected endpoints

All indexed Ollama routes that resolve the backend through get ollama url():
POST /ollama/api/chat/{url idx}
POST /ollama/api/generate/{url idx}
POST /ollama/api/embed/{url idx}
POST /ollama/api/embeddings/{url idx}
POST /ollama/v1/chat/completions/{url idx}
POST /ollama/v1/completions/{url idx}
POST /ollama/v1/messages/{url idx}
POST /ollama/v1/responses/{url idx}

Root cause

backend/open webui/routers/ollama.pyget ollama url() consults the model-to-backend allow-list (OLLAMA MODELS[model]["urls"]) only when url idx is omitted. When the caller supplies url idx, that mapping is skipped and the value is used directly as an index:
python
async def get ollama url(request: Request, model: str, url idx: Optional[int] = None):
  if url idx is None:
    models = request.app.state.OLLAMA MODELS
    if model not in models:
      raise HTTPException(...)
    url idx = random.choice(models[model].get("urls", []))
  url = request.app.state.config.OLLAMA BASE URLS[url idx]  # caller-controlled, no authz
  return url, url idx
The outbound request is then sent to that backend using the backend's own configured API key. Backends an admin has disabled (OLLAMA API CONFIGS["<idx>"].enable = false) are hidden from model discovery but remain reachable through the indexed route, because the disabled state is never re-checked at request time.

Impact

A verified, non-admin user with read access to any single model can:
  • route requests to internal / higher-capability / restricted Ollama backends in multi-backend deployments, bypassing backend-level isolation;
  • reach backends the admin has explicitly disabled;
  • have those requests authenticated with the target backend's configured API key (the key is used server-side; it is not returned to the attacker);
  • consume the restricted backend's compute.
There is no cross-user data disclosure and no exfiltration of the backend credential itself; the impact is unauthorized access to, and use of, restricted backend resources.

Affected / Patched

  • Affected: <= 0.9.5
  • Patched: >= 0.9.6

Fix

0.9.6 adds validate ollama backend idx(), invoked on every indexed route (directly and via get ollama url()), which returns 403 for any non-admin caller-supplied url idx that is not in the requested model's allowed urls. Because disabled backends are absent from every model's urls, the same check also blocks routing to disabled backends.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2026-54021
GHSA-9RPJ-V7HF-VV2W

Affected Products

Open-Webui