{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/model-chaining/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["open-webui (\u003c= 0.8.12)"],"_cs_severities":["high"],"_cs_tags":["access-control","model-chaining","open-webui","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Open WebUI"],"content_html":"\u003cp\u003eOpen WebUI, a web interface for Large Language Models, is susceptible to an access control vulnerability via its model chaining feature. This feature allows users to create custom models that reference existing base models for inference. The vulnerability arises because access controls are only applied to the user-facing model, not the chained base model. An attacker with default model creation permissions can exploit this flaw to create a model that chains to a restricted or premium base model, effectively bypassing intended access restrictions and querying the restricted model using the admin-configured API key. This issue affects the current main branch (commit \u003ccode\u003e6fdd19bf1\u003c/code\u003e) and likely all versions with the model chaining feature.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdmin provisions a restricted model, such as \u003ccode\u003egpt-4-turbo-restricted\u003c/code\u003e, and configures access control policies.\u003c/li\u003e\n\u003cli\u003eAttacker, without access to the restricted model, crafts a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/v1/models/create\u003c/code\u003e with a payload defining a new model (e.g., \u003ccode\u003echeap-assistant\u003c/code\u003e) and setting its \u003ccode\u003ebase_model_id\u003c/code\u003e to the restricted model\u0026rsquo;s ID.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecreate\u003c/code\u003e endpoint lacks validation to ensure the attacker has access to the specified \u003ccode\u003ebase_model_id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker now owns the \u003ccode\u003echeap-assistant\u003c/code\u003e model, which will pass the initial \u003ccode\u003echeck_model_access\u003c/code\u003e check.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/chat/completions\u003c/code\u003e, specifying the newly created \u003ccode\u003echeap-assistant\u003c/code\u003e model.\u003c/li\u003e\n\u003cli\u003eThe application resolves the \u003ccode\u003ebase_model_id\u003c/code\u003e of \u003ccode\u003echeap-assistant\u003c/code\u003e to \u003ccode\u003egpt-4-turbo-restricted\u003c/code\u003e within \u003ccode\u003emain.py:1696\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application rewrites the \u003ccode\u003epayload[\u0026quot;model\u0026quot;]\u003c/code\u003e to the base model ID, and dispatches the upstream request using the admin-configured API key.\u003c/li\u003e\n\u003cli\u003eThe attacker receives responses from the restricted model, successfully circumventing the intended access restrictions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows unauthorized access to restricted models, potentially leading to increased costs on pay-per-token backends such as OpenAI or Azure, as the admin\u0026rsquo;s API key is used for unauthorized requests. It also creates a false sense of security, as access restrictions appear to work through the standard model selector but are ineffective against user-created chains. The vulnerability can lead to direct cost impact on pay-per-token backends and erode trust in the configured access controls.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Open WebUI Model Creation with External BaseModelID\u003c/code\u003e to detect attempts to create models with \u003ccode\u003ebase_model_id\u003c/code\u003e pointing to existing models, and tune the false positives for your environment.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Open WebUI Chat Completion Request Using Custom Model with BaseModelID\u003c/code\u003e to detect chat completion requests using a custom model with a \u003ccode\u003ebase_model_id\u003c/code\u003e set.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of Open WebUI that includes proper access control validation for \u003ccode\u003ebase_model_id\u003c/code\u003e during model creation to remediate CVE-2026-44555.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-open-webui-model-bypass/","summary":"Open WebUI is vulnerable to an access control bypass due to improper model chaining, allowing a regular user to create a model that chains to a restricted base model and query it using the admin's API key, bypassing access restrictions.","title":"Open WebUI Model Chaining Access Control Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-02-open-webui-model-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Model-Chaining","version":"https://jsonfeed.org/version/1.1"}