Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter
Description
Summary
Several direct, index-addressed Ollama proxy routes accept a caller-supplied url_idx path parameter and use it as a raw index into the admin-configured OLLAMA_BASE_URLS list. Access control on these routes validates only whether the user may use the requested *model*, never which *backend* the request is routed to. Any authenticated user can append an arbitrary url_idx to force their request onto an Ollama backend they were never authorized to reach, including internal, higher-privilege, or explicitly admin-disabled backends.
Affected endpoints
All indexed Ollama routes that resolve the backend through get_ollama_url():
POST /ollama/api/chat/{url_idx}
POST /ollama/api/generate/{url_idx}
POST /ollama/api/embed/{url_idx}
POST /ollama/api/embeddings/{url_idx}
POST /ollama/v1/chat/completions/{url_idx}
POST /ollama/v1/completions/{url_idx}
POST /ollama/v1/messages/{url_idx}
POST /ollama/v1/responses/{url_idx}
Root cause
backend/open_webui/routers/ollama.py — get_ollama_url() consults the model-to-backend allow-list (OLLAMA_MODELS[model]["urls"]) only when url_idx is omitted. When the caller supplies url_idx, that mapping is skipped and the value is used directly as an index:
async def get_ollama_url(request: Request, model: str, url_idx: Optional[int] = None):
if url_idx is None:
models = request.app.state.OLLAMA_MODELS
if model not in models:
raise HTTPException(...)
url_idx = random.choice(models[model].get("urls", []))
url = request.app.state.config.OLLAMA_BASE_URLS[url_idx] # caller-controlled, no authz
return url, url_idx
The outbound request is then sent to that backend using the backend's own configured API key. Backends an admin has disabled (OLLAMA_API_CONFIGS[""].enable = false) are hidden from model discovery but remain reachable through the indexed route, because the disabled state is never re-checked at request time.
Impact
A verified, non-admin user with read access to any single model can: - route requests to internal / higher-capability / restricted Ollama backends in multi-backend deployments, bypassing backend-level isolation; - reach backends the admin has explicitly disabled; - have those requests authenticated with the target backend's configured API key (the key is used server-side; it is not returned to the attacker); - consume the restricted backend's compute.
There is no cross-user data disclosure and no exfiltration of the backend credential itself; the impact is unauthorized access to, and use of, restricted backend resources.
Affected / Patched
- Affected:
<= 0.9.5 - Patched:
>= 0.9.6
Fix
0.9.6 adds validate_ollama_backend_idx(), invoked on every indexed route (directly and via get_ollama_url()), which returns 403 for any non-admin caller-supplied url_idx that is not in the requested model's allowed urls. Because disabled backends are absent from every model's urls, the same check also blocks routing to disabled backends.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <= 0.9.5
Patches
Vulnerability mechanics
Root cause
"Missing authorization check in `get_ollama_url()` allows a caller-supplied `url_idx` to bypass the model-to-backend allow-list and index directly into the admin-configured backend list."
Attack vector
An authenticated non-admin user who has read access to any single model can append an arbitrary `url_idx` path parameter to any of the eight indexed Ollama proxy routes [ref_id=1][ref_id=2]. The server uses this caller-supplied value as a raw index into the admin-configured `OLLAMA_BASE_URLS` list without checking whether the user is authorized to reach that backend [ref_id=1][ref_id=2]. The outbound request is then sent to the targeted backend using that backend's own configured API key, allowing the attacker to access internal, higher-privilege, or explicitly disabled backends [ref_id=1][ref_id=2].
Affected code
The vulnerability resides in `backend/open_webui/routers/ollama.py` in the `get_ollama_url()` function [ref_id=1][ref_id=2]. When a caller supplies a `url_idx` path parameter, the function skips the model-to-backend allow-list (`OLLAMA_MODELS[model]["urls"]`) and uses the caller-controlled value directly as an index into `OLLAMA_BASE_URLS` [ref_id=1][ref_id=2]. All indexed Ollama proxy routes that call `get_ollama_url()` are affected, including `POST /ollama/api/chat/{url_idx}`, `POST /ollama/api/generate/{url_idx}`, `POST /ollama/api/embed/{url_idx}`, `POST /ollama/api/embeddings/{url_idx}`, `POST /ollama/v1/chat/completions/{url_idx}`, `POST /ollama/v1/completions/{url_idx}`, `POST /ollama/v1/messages/{url_idx}`, and `POST /ollama/v1/responses/{url_idx}` [ref_id=1][ref_id=2].
What the fix does
Version 0.9.6 adds a new `validate_ollama_backend_idx()` function that is invoked on every indexed route, both directly and via `get_ollama_url()` [ref_id=1][ref_id=2]. This function returns HTTP 403 for any non-admin caller-supplied `url_idx` that is not present in the requested model's allowed `urls` list [ref_id=1][ref_id=2]. Because disabled backends are absent from every model's `urls`, the same check also prevents routing to backends that an admin has explicitly disabled [ref_id=1][ref_id=2].
Preconditions
- authAttacker must be an authenticated user with read access to at least one model
- configThe deployment must have multiple Ollama backends configured in OLLAMA_BASE_URLS
- inputAttacker sends a POST request to an indexed Ollama proxy route with a crafted url_idx path parameter
Reproduction
No public exploit or PoC is included in the bundle; reproduction steps are not available.
Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.