Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS)

Description

Summary

GET /api/v1/memories/ef is accessible without authentication and executes request.app.state.EMBEDDING_FUNCTION(...). This allows any unauthenticated caller to trigger embedding generation which can lead to direct cost exposure if a paid provider is used.
Code reference: backend/open_webui/routers/memories.py (@router.get("/ef") -> calls request.app.state.EMBEDDING_FUNCTION("hello world")).

Details

GET /api/v1/memories/ef is reachable without authentication and triggers request.app.state.EMBEDDING_FUNCTION("hello world"). This crosses an intended security boundary by allowing unauthenticated users to invoke potentially expensive embedding computation and/or paid upstream embedding APIs.

PoC

  1. Start Open WebUI in default configuration (no special env hardening; default ENABLE_MEMORIES is true).
  2. From an unauthenticated client (no cookies/Authorization header), call:
    curl -i http://\<host\>:\<port\>/api/v1/memories/ef
  3. Observe the server performs embedding generation and returns a response like:
    - HTTP 200 with JSON containing the result.

How it can be abused / attacker actions:

  • Send repeated requests to /api/v1/memories/ef to:
  • consume CPU/GPU resources (DoS)
  • generate sustained outbound usage to embedding providers if configured (cost + rate-limit exhaustion)
  • degrade latency/availability for legitimate users

Impact

If embeddings are configured to use paid/remote providers (OpenAI/Azure/etc), an attacker can generate unlimited requests and incur charges.

Resolution

Fixed in commit e5035ea31, first released in v0.8.0 (Feb 2026). The /api/v1/memories/ef route was removed entirely. It was a diagnostic/debug-style endpoint that hard-coded &quot;hello world&quot; through the embedding function without any authentication dependency; there was no legitimate caller that depended on it, so deletion was the cleaner fix than retrofitting auth. Users on &gt;= 0.8.0 are not affected.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-05-14 20:28:02 UTC
Updated
2026-05-19 16:00:44 UTC
GitHub reviewed
2026-05-14 20:28:02 UTC
NVD published
2026-05-15

EPSS Score

Score Percentile
0.05% 16.27%

CVSS Scores

Base score Version Severity Vector
6.5 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.

Identifiers

CWEs

CWE id Name
CWE-862 Missing Authorization

Credits

  • densi97 (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip open-webui <= 0.7.2 0.8.0

References

cvelogic Threat Intelligence