PatchSiren cyber security CVE debrief

CVE-2026-45365 open-webui CVE debrief

## Summary Open WebUI versions prior to 0.8.11 expose an internal-only `bypass_filter` parameter on the `/openai/chat/completions` and `/ollama/api/chat` HTTP endpoints via FastAPI query string binding. Any authenticated user can append `?bypass_filter=true` to bypass model access control checks and invoke admin-restricted models. ## Technical Details The vulnerability stems from FastAPI's automatic query parameter binding exposing what was intended to be an internal flag. The affected endpoints accept the `bypass_filter` parameter as a query string argument, which when set to `true` disables model access control enforcement. This allows low-privilege authenticated users to access models that administrators have explicitly restricted. The issue is classified as **CWE-285: Improper Authorization** per vendor advisory metadata. ## Affected Versions - **Open WebUI**: All versions prior to 0.8.11 ## Fixed Versions - **Open WebUI**: 0.8.11 and later ## CVSS Assessment - **Score**: 5.4 (MEDIUM) - **Vector**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N The medium severity reflects that exploitation requires authenticated access (PR:L) and results in limited confidentiality and integrity impact (C:L/I:L) without availability impact. ## Timeline | Date | Event | |------|-------| | 2026-05-15 | CVE published; vendor advisory released | | 2026-05-19 | CVE record modified | ## Recommended Actions 1. **Upgrade immediately** to Open WebUI 0.8.11 or later to obtain the fix 2. **Verify access controls** after patching by attempting to access restricted models with non-admin accounts 3. **Review access logs** for historical abuse of the `bypass_filter` parameter 4. **Implement defense in depth** by adding network-level access controls for sensitive model endpoints if not already present ## References - CVE Record: CVE-2026-45365 - NVD Entry: CVE-2026-45365 - Vendor Advisory: GHSA-v6qf-75pr-p96m