github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-05 18:38:17 -05:00
Code Issues 1.1k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #7440] API allows sign up of new users despite new sign-up setting is disabled #14747

New Issue
Closed
opened 2026-04-19 21:02:29 -05:00 by GiteaMirror · 2 comments
GiteaMirror commented 2026-04-19 21:02:29 -05:00
Owner
Copy Link

Originally created by @jmrobles on GitHub (Nov 27, 2024).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/7440

Bug Report

Installation Method

docker

Environment

  • Open WEB UI: latest
  • Ubuntu 22

Confirmation:

  • I have read and followed all the instructions provided in the README.md.
  • I am on the latest version of both Open WebUI and Ollama.
  • [N/A] I have included the browser console logs.
  • [N/A] I have included the Docker container logs.
  • [X ] I have provided the exact steps to reproduce the bug in the "Steps to Reproduce" section below.

Expected Behavior:

If the "allow new sign-up" is disabled in general setting, a user shouldn't sign-up using the API /api/v1/auths/signup

Actual Behavior:

A user can be registered using the API despite the "allow new sign-up" setting is disable

Description

If the default role for new users is "user", despite the "allow new sign-up" is disabled, an attacker can register new users in the system and perform requests to /chat/completions endpoints.

Reproduction Details

  1. Log as admin
  2. Go to settings, general
  3. Disable the "allow sign-up new users"
  4. Set the default user role to "user"
  5. Save the settings
  6. Go to /api/v1/docs
  7. Using the swager interface or curl for example, register a new user

Logs and Screenshots

Additional Information

This mistake costs my company about $1,700.

image

Originally created by @jmrobles on GitHub (Nov 27, 2024). Original GitHub issue: https://github.com/open-webui/open-webui/issues/7440 # Bug Report ## Installation Method docker ## Environment - Open WEB UI: latest - Ubuntu 22 **Confirmation:** - [X] I have read and followed all the instructions provided in the README.md. - [X] I am on the latest version of both Open WebUI and Ollama. - [N/A] I have included the browser console logs. - [N/A] I have included the Docker container logs. - [X ] I have provided the exact steps to reproduce the bug in the "Steps to Reproduce" section below. ## Expected Behavior: If the "allow new sign-up" is disabled in general setting, a user shouldn't sign-up using the API /api/v1/auths/signup ## Actual Behavior: A user can be registered using the API despite the "allow new sign-up" setting is disable ## Description If the default role for new users is "user", despite the "allow new sign-up" is disabled, an attacker can register new users in the system and perform requests to /chat/completions endpoints. ## Reproduction Details 1. Log as admin 2. Go to settings, general 3. Disable the "allow sign-up new users" 4. Set the default user role to "user" 5. Save the settings 6. Go to /api/v1/docs 7. Using the swager interface or curl for example, register a new user ## Logs and Screenshots ## Additional Information This mistake costs my company about $1,700. ![image](https://github.com/user-attachments/assets/e5e723f6-3cd2-4faf-be91-d2a7a1088212)
GiteaMirror commented 2026-04-19 21:02:31 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Nov 27, 2024):

image

image

Sign up is properly scoped and if you have new sign ups disabled like above, you'll get the following error message:

image

Feel free to verify the code yourself.

<!-- gh-comment-id:2504583906 --> @tjbck commented on GitHub (Nov 27, 2024): ![image](https://github.com/user-attachments/assets/e7c8b634-cf65-4734-837d-7ffaff996216) ![image](https://github.com/user-attachments/assets/55d38f43-cde8-4ee9-b80f-97765f8d6127) Sign up is properly scoped and if you have new sign ups disabled like above, you'll get the following error message: ![image](https://github.com/user-attachments/assets/fe24fdf1-d2da-4533-aeeb-a5d1782dd7f6) Feel free to verify the code yourself.
GiteaMirror commented 2026-04-19 21:02:32 -05:00
Author
Owner
Copy Link

@jmrobles commented on GitHub (Nov 27, 2024):

Thanks @tjbck ! it's true, I think I was not using the latest version.
I've checked now and it works as expected.

<!-- gh-comment-id:2504616150 --> @jmrobles commented on GitHub (Nov 27, 2024): Thanks @tjbck ! it's true, I think I was not using the latest version. I've checked now and it works as expected.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#14747
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?