Listen to this Post
The vulnerability arises from missing server-side role verification for users with “pending” status. Open WebUI defines three roles: user, admin, and pending. When new sign-ups are enabled, new accounts default to pending, requiring admin approval to become active. However, role checks are only implemented in the client-side UI, not in the API.
An attacker registers a new account via POST /api/v1/auths/signup. The server responds with a valid JWT token and the role set to "pending". The backend function `get_current_user()` (used in protected endpoints) validates the JWT but never checks the user’s role. Consequently, a pending user can use this token to call authenticated APIs.
For example, the endpoint `/ollama/api/tags` (list LLM models) depends on user=Depends(get_current_user). The function `get_all_models()` returns data, and because `MODEL_FILTER_ENABLED` is false by default, no role filtering occurs. The same missing check applies to all regular user APIs.
An attacker can forge the HTTP response from `/api/v1/auths/signin` or `/api/v1/auths/` using a MITM proxy, changing `”role”:”pending”` to "role":"user", thereby gaining full web UI access. The core issue is using `get_current_user()` instead of get_verified_user(), which enforces role in {"user","admin"}.
Proof-of-concept: create account, extract JWT, then query `/ollama/api/tags` with the token. Unauthenticated requests return 401; with the pending user’s JWT, the request succeeds, returning sensitive model lists.
dailycve form:
Platform: Debian Linux 12
Version: 0.1.105
Vulnerability: Improper Authorization
Severity: Medium
date: June 11 2024
Prediction: Fixed July 2024
What Undercode Say:
Verify unauthenticated access fails
curl -s -X GET -H 'Host: openwebui.example.com' -H 'Content-Type: application/json' \
'https://openwebui.example.com/ollama/api/tags'
Create pending user and capture JWT
export JWT=$(curl -s -X POST -H 'Content-Type: application/json' \
--data '{"name":"","email":"[email protected]","password":"a"}' \
'https://openwebui.example.com/api/v1/auths/signup' | jq -r '.token')
Access authenticated endpoint as pending user
curl -v -X GET -H 'Authorization: Bearer '$JWT \
'https://openwebui.example.com/ollama/api/tags'
Exploit:
Register pending account → receive JWT → call any authenticated API (e.g., /ollama/api/tags, /api/v1/users/) → bypass role check. MITM proxy can modify `”role”:”pending”` to `”user”` in signin response to unlock full UI.
Protection from this CVE:
Replace all `user=Depends(get_current_user)` with `user=Depends(get_verified_user)` in backend endpoints. The `get_verified_user()` function explicitly rejects roles other than `”user”` or "admin". Additionally, enable `MODEL_FILTER_ENABLED` and define whitelists.
Impact:
Pending users (unapproved accounts) can list LLM models, access chat history, query models, and perform all actions of a regular `user` without admin approval, leading to data exposure and resource abuse.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
