CVE-2026-59213 in Open WebUIinfo

Summary

by MITRE • 07/09/2026

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, get_all_models handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of key_builder, causing permission-filtered per-user model lists to share a static cache entry and exposing one user’s model list to another caller during the TTL window. This issue is fixed in version 0.10.0.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability exists within Open WebUI versions between 0.6.27 and 0.10.0, specifically affecting the get_all_models handlers located in routers/openai.py and routers/ollama.py. This flaw represents a critical access control bypass that undermines the platform's user isolation mechanisms. The issue stems from improper cache key generation where a lambda function is incorrectly passed to the aiocache key parameter instead of the intended key_builder function. This misconfiguration causes the caching system to generate identical cache keys for different users' model lists, effectively creating a shared cache entry that should remain distinct per user session.

The technical implementation flaw manifests when multiple users access the model listing endpoints simultaneously or within the same time window defined by the cache time-to-live period. Since the lambda function does not properly differentiate between users, all requests receive the cached response from whichever user accessed the endpoint first during the TTL window. This creates a scenario where User A's filtered model list, which may only include models authorized for that specific user, gets served to User B who should only see their own restricted set of models. The vulnerability is classified as a cache-based access control bypass under CWE-284 and represents a direct violation of the principle of least privilege.

Operationally, this vulnerability exposes sensitive model information across users within the caching window, potentially allowing unauthorized access to models that should be restricted based on user permissions. Attackers could exploit this by simply making requests to the affected endpoints, requiring no additional credentials or privileges beyond normal access to the platform. The impact extends beyond simple information disclosure to potential privilege escalation scenarios where users might gain access to model configurations, pricing details, or other sensitive metadata that should remain isolated. This vulnerability directly relates to ATT&CK technique T1566.001 for credential access and T1213.002 for data from information repositories.

The mitigation involves upgrading to version 0.10.0 or later where the fix properly implements key_builder instead of lambda functions for cache key generation. Additionally, system administrators should review cache configurations to ensure proper user isolation mechanisms are in place and consider implementing more granular cache invalidation strategies. Organizations using Open WebUI should also conduct thorough security audits of their caching implementations to identify similar issues that might exist in other parts of the application or related services. The fix addresses the root cause by ensuring each user's model list is cached with a unique key that incorporates user-specific identifiers, thereby maintaining proper access controls and preventing cross-user cache contamination.

Responsible

GitHub M

Reservation

07/02/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!