VulnWatch VulnWatch
← Back to dashboard
Medium github · GHSA-v6qf-75pr-p96m

Open WebUI: Authenticated users can bypass model access control via exposed query parameter [AI-ASSISTED]

Published May 14, 2026 CVSS 5.4

Summary

An internal-only bypass_filter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via FastAPI query string binding, allowing any authenticated user to append ?bypass_filter=true and bypass model access control checks to invoke admin-restricted models.

Details

The generate_chat_completion route handlers in both routers/openai.py and routers/ollama.py declare bypass_filter as a function parameter:

routers/openai.py, line 937–941:

@router.post("/chat/completions")
async def generate_chat_completion(
    request: Request,
    form_data: dict,
    user=Depends(get_verified_user),
    bypass_filter: Optional[bool] = False,
    ...
):

routers/ollama.py, line 1283–1288:

@router.post("/api/chat")
async def generate_chat_completion(
    ...
    bypass_filter: Optional[bool] = False,
    ...
):

Because FastAPI automatically binds unrecognized function parameters to the query string, any HTTP client can set this value by appending ?bypass_filter=true to the request URL.

When bypass_filter is true, the access control check is skipped entirely:

routers/openai.py, line 980:

if not bypass_filter and user.role == "user":
    # ACL check — skipped when bypass_filter is True

This parameter is intended for internal use only — the server-side chat pipeline in utils/chat.py (lines 238, 253) passes bypass_filter=True as a Python function argument when making recursive calls to base models that have already been authorized. However, because it appears in the HTTP handler's signature, it is unintentionally exposed to external callers.

This is separate from the BYPASS_MODEL_ACCESS_CONTROL environment variable, which is a deliberate admin setting for trusted environments.

PoC

#!/usr/bin/env python3
"""
uv run --no-project --with requests finding_02_bypass_filter_acl_bypass.py [--base-url http://localhost:8089]

Finding #2 — Unauthorized model access via bypass_filter query parameter

SUMMARY:
  The POST /openai/chat/completions and POST /ollama/api/chat endpoints expose
  a bypass_filter query parameter as part of their FastAPI function signatures.
  FastAPI automatically binds this to the query string. When an authenticated
  user appends ?bypass_filter=true, the access control check is skipped:

    if not bypass_filter and user.role == "user":
        check_model_access(user, model)  #
Auth Bypass

Affected AI Products

ollama openai llm
View original source
Get the weekly digest. Every Monday: top AI security stories of the week. Free.