GHSA-57q6-fvp4-pqmm: Open WebUI's API key endpoint restrictions bypassed via `x-api-key` header — full message processing on restricted endpoints
mediumvulnerability
security
Summary
Open WebUI has a security flaw where API key restrictions can be bypassed by using the `x-api-key` header (a custom header for authentication) instead of the standard `Authorization` header. An admin can restrict what endpoints an API key can access, but the same key sent via `x-api-key` bypasses these restrictions entirely and allows full access to protected endpoints like the messages API.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
May 14, 2026
Classification
Attack Type
Other
Attack SophisticationTrivial
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
Affected Packages
open-webu@<= 0.8.12 (fixed: 0.9.0)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-57q6-fvp4-pqmm
First tracked: May 14, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%