CVE-2026-59225 in Open WebUIinfo

Summary

by MITRE • 07/09/2026

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The normal chat route resolves arena models before the final chat dispatch and therefore re-checks the selected underlying model. The task routes call utils.chat.generate_chat_completion() directly. In that direct path, arena fallback resolution happens after the wrapper access check and then recurses with bypass_filter=True, skipping the selected submodel's access check. This issue is fixed in version 0.10.0.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

This vulnerability exists within Open WebUI version 0.8.12 through 0.10.0, representing a privilege escalation flaw that allows authenticated non-admin users to bypass access controls for underlying models. The security issue stems from inconsistent access control implementation between different API endpoints within the platform's architecture. When users interact with the standard chat routes, the system properly validates access permissions at multiple levels before dispatching to underlying models. However, certain task-based endpoints such as /api/v1/tasks/moa/completions follow a different execution path that skips critical access validation checks.

The technical flaw manifests in the implementation of the utils.chat.generate_chat_completion() function which is called directly by task routes without proper access verification. This direct execution path bypasses the normal arena model resolution process that typically occurs before chat dispatch, allowing unauthorized users to traverse through wrapper models and reach restricted underlying systems. The vulnerability exploits a recursive mechanism where arena fallback resolution occurs after initial wrapper access checks but with bypass_filter=True parameter, effectively skipping validation for selected submodels. This creates a security gap where the system fails to verify whether the user should have access to the specific underlying model being targeted.

The operational impact of this vulnerability is significant as it enables authenticated users with only read access to arena wrapper models to potentially access sensitive underlying systems that they should not be authorized to reach. This represents a clear violation of the principle of least privilege and could lead to unauthorized data exposure or system compromise depending on the nature of the underlying models. Attackers could leverage this flaw to escalate their privileges within the platform, potentially gaining access to confidential information or system resources that are normally restricted to administrators.

This vulnerability aligns with CWE-285 (Improper Authorization) and CWE-345 (Insufficient Verification of Data Authenticity), as it demonstrates inadequate access control verification and improper handling of model resolution paths. The flaw also maps to ATT&CK technique T1078.004 (Valid Accounts: Cloud Accounts) since it allows unauthorized access through legitimate user accounts that have been granted limited permissions. The issue specifically affects the platform's authorization framework where different code paths implement inconsistent security checks, creating a vector for privilege escalation attacks.

Mitigation strategies should involve implementing consistent access control validation across all API endpoints, ensuring that any path leading to underlying model execution performs proper authorization checks regardless of whether it's through standard chat routes or task-based endpoints. The fix in version 0.10.0 addresses this by normalizing the access control flow and ensuring that all model resolution paths maintain proper authorization verification. Organizations should also implement comprehensive logging of model access attempts and establish monitoring for unusual access patterns that might indicate exploitation attempts. Regular security audits of API endpoint implementations are essential to identify similar inconsistencies in access control mechanisms throughout the platform's architecture.

Responsible

GitHub M

Reservation

07/02/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!