{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/owasp/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["open-webui (\u003c= 0.8.12)"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","llm","owasp"],"_cs_type":"advisory","_cs_vendors":["Open WebUI"],"content_html":"\u003cp\u003eOpen WebUI versions 0.8.12 and earlier contain an authentication bypass vulnerability in the /responses endpoint of the OpenAI router. This endpoint, intended as a proxy to upstream LLM providers, fails to enforce per-model access controls. While the primary chat completion endpoint (generate_chat_completion) correctly validates model ownership, group membership, and AccessGrants, the /responses endpoint only verifies a valid user session. Consequently, any authenticated user can interact with any model configured on the Open WebUI instance, regardless of their assigned roles or group memberships, by sending a crafted POST request to /api/openai/responses with an arbitrary model ID. This circumvents intended access restrictions and poses risks to service availability, model security, and policy enforcement.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains valid user credentials for the Open WebUI instance. This could be through credential stuffing, phishing, or other common methods.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Open WebUI instance using the obtained credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to the \u003ccode\u003e/api/openai/responses\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker includes an arbitrary model ID in the POST request body, specifying a model they do not have explicit access to under normal access control policies.\u003c/li\u003e\n\u003cli\u003eThe Open WebUI instance, upon receiving the request at \u003ccode\u003e/api/openai/responses\u003c/code\u003e, only verifies the user\u0026rsquo;s session.\u003c/li\u003e\n\u003cli\u003eDue to the missing access control checks, the request is forwarded to the upstream LLM provider, effectively bypassing the intended access restrictions.\u003c/li\u003e\n\u003cli\u003eThe upstream LLM provider processes the request using the specified model, even though the user lacks authorization.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the response from the LLM, successfully interacting with a restricted model.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can have significant consequences. Unauthorized users can submit resource-intensive requests to expensive models, leading to Model Denial of Service (OWASP LLM04) by exhausting API budgets or rate limits, potentially causing total service disruption for legitimate users. Furthermore, if the instance proxies access to fine-tuned or self-hosted models, unauthorized interaction can lead to Model Theft (OWASP LLM10), enabling capability extraction or model distillation. Finally, the vulnerability undermines existing access control systems, preventing administrators from enforcing cost-tier restrictions, team-based model assignments, or compliance boundaries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Open WebUI version 0.8.13 or later to patch CVE-2026-44556 and address the authentication bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Open WebUI Unauthorized Model Access via Responses Endpoint\u0026rdquo; to identify potential exploitation attempts by monitoring POST requests to \u003ccode\u003e/api/openai/responses\u003c/code\u003e with potentially malicious model IDs.\u003c/li\u003e\n\u003cli\u003eReview Open WebUI access logs for any suspicious activity related to the \u003ccode\u003e/api/openai/responses\u003c/code\u003e endpoint, particularly requests from users who should not have access to specific models.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T19:45:53Z","date_published":"2026-05-08T19:45:53Z","id":"/briefs/2024-01-open-webui-auth-bypass/","summary":"The /responses endpoint in Open WebUI's OpenAI router lacks access control, allowing authenticated users to bypass per-model access controls and interact with any configured model, potentially leading to denial of service, model theft, and access policy bypass.","title":"Open WebUI /responses Endpoint Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-open-webui-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Owasp","version":"https://jsonfeed.org/version/1.1"}