Open WebUI, Base Model Routing Bypass (Medium)

By /

Listen to this Post

How the mentioned CVE works:

  1. Open WebUI allows model chaining via the `base_model_id` field, where a user-defined model points to an existing base model for actual inference.
  2. When a user creates a model, the endpoint `/api/v1/models/create` accepts any `base_model_id` without verifying caller access to that base model.
  3. The access control function `check_model_access()` (line 380 in utils/models.py) only checks the user-facing model, not the chained base model.
  4. In `main.py` lines 1696-1711, the chat completion pipeline resolves the `base_model_id` to the actual base model object.
  5. It rewrites the payload’s `”model”` field to the base model ID but performs no additional access check against the user.
  6. The rewritten payload is dispatched via `openai.py` (lines 1032-1037) or `ollama.py` (lines 1086-1090) using the admin’s API key.
  7. An attacker with default model creation permission can create a model like {"id": "cheap-assistant", "base_model_id": "gpt-4-turbo-restricted"}.
  8. The creation endpoint does not validate that the attacker has access to `gpt-4-turbo-restricted` (a premium model restricted to a specific group).
  9. The attacker becomes the owner of cheap-assistant, so `check_model_access(attacker, cheap-assistant)` passes trivially.
  10. The attacker then sends a chat completion request to `/api/chat/completions` with {"model": "cheap-assistant", "messages": [...]}.
  11. The server resolves `cheap-assistant.base_model_id` to `gpt-4-turbo-restricted` and rewrites the payload without re-checking access.
  12. The upstream request is sent with the admin’s API key, bypassing the intended group restriction.
  13. The same bypass exists via the `/api/v1/models/import` endpoint, which can also overwrite existing models.
  14. No access check is performed on the base model at any point during model creation, import, or execution.
  15. This allows any user with the default `workspace.models` permission to chain to any existing base model on the instance.
  16. The vulnerability affects all versions that support the model chaining feature, including commit `6fdd19bf1` on the main branch.
  17. The root cause is a missing recursive access verification when dereferencing `base_model_id` in the model routing logic.
  18. The attack requires no privilege escalation other than the default model creation right (granted to all users by default).
  19. The admin sees access restrictions working in the standard model selector but remains unaware of user-created chains.
  20. This effectively nullifies access control for any model that is referenced as a base model, leading to policy bypass.

dailycve form:

Platform: Open WebUI
Version: main branch 6fdd19bf1
Vulnerability: Model chaining bypass
Severity: Medium
date: 2026-05-08

Prediction: Patch by 2026-05-20

What Undercode Say:

Analytics:

Count vulnerable model creation attempts from logs
grep "POST /api/v1/models/create" /var/log/openwebui/access.log | wc -l
Detect chained models referencing restricted base models
sqlite3 openwebui.db "SELECT id, base_model_id FROM models WHERE base_model_id IS NOT NULL;"
Monitor chat completions using user-created models that chain to premium models
grep '"model":"cheap-assistant"' /var/log/openwebui/api.log | jq '.messages'

Exploit:

Step 1: Create a chain model pointing to restricted base model
curl -X POST http://target:3000/api/v1/models/create \
-H "Authorization: Bearer $ATTACKER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"id":"evil-chain","name":"Evil","base_model_id":"gpt-4-turbo-restricted","params":{}}'
Step 2: Query the restricted model via the chain
curl -X POST http://target:3000/api/chat/completions \
-H "Authorization: Bearer $ATTACKER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"model":"evil-chain","messages":[{"role":"user","content":"Bypass access?"}]}'

Protection from this CVE:

  • Apply patch that adds `check_model_access(user, base_model)` before resolving base model in `main.py` lines 1696-1711.
  • Validate `base_model_id` during model creation/import by ensuring caller has access to the referenced base model.
  • Remove default model creation permission for untrusted users (set `workspace.models` to admin-only).
  • Monitor for models where `base_model_id` points to a restricted model but owner is not in allowed group.

Impact:

  • Regular users can query restricted/pay-per-token models (OpenAI, Anthropic, Azure) using admin’s API key.
  • Access control becomes silently ineffective for any model used as a base model.
  • Direct financial cost from unauthorized usage of paid backends.
  • False sense of security: UI shows restrictions working, but they are trivially bypassed.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top