[PR #14624] [CLOSED] Patch security risk with public /cache endpoint #46575

Closed
opened 2026-04-29 21:26:34 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/14624
Author: @rragundez
Created: 6/3/2025
Status: Closed

Base: devHead: auth-cache


📝 Commits (2)

  • 3f6cf7c Remove extension from images and add user.id in path
  • 1ad263b Add protected endpoint for /cache

📊 Changes

2 files changed (+21 additions, -7 deletions)

View changed files

📝 backend/open_webui/main.py (+14 -2)
📝 backend/open_webui/utils/middleware.py (+7 -5)

📄 Description

The /cache endpoint is unprotected and any file that is created in that directory will automatically be available without any auth.
This PR adds protection over this endpoint to be available only to users of the app but also to only the user specific that created the image.

In addition it is recommended to remove the extension of the file being written as load balancer and similar systems could activate cache if the extension is kept as it is identified as a file, and if cache is activated then it defeats the purpose of authentication as it will serve the file directly without triggering the logic of the endpoint.
For now the only place I see it being used is for the images, which I already patched in this PR.

I tested but Please test from your side.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/14624 **Author:** [@rragundez](https://github.com/rragundez) **Created:** 6/3/2025 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `auth-cache` --- ### 📝 Commits (2) - [`3f6cf7c`](https://github.com/open-webui/open-webui/commit/3f6cf7c82fb4be653d02beb371fa62561040e076) Remove extension from images and add user.id in path - [`1ad263b`](https://github.com/open-webui/open-webui/commit/1ad263bf1af76b19cf894a1527c032ccdaf67c1d) Add protected endpoint for /cache ### 📊 Changes **2 files changed** (+21 additions, -7 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/main.py` (+14 -2) 📝 `backend/open_webui/utils/middleware.py` (+7 -5) </details> ### 📄 Description The `/cache` endpoint is unprotected and any file that is created in that directory will automatically be available without any auth. This PR adds protection over this endpoint to be available only to users of the app but also to only the user specific that created the image. In addition it is recommended to remove the extension of the file being written as load balancer and similar systems could activate cache if the extension is kept as it is identified as a file, and if cache is activated then it defeats the purpose of authentication as it will serve the file directly without triggering the logic of the endpoint. For now the only place I see it being used is for the images, which I already patched in this PR. I tested but Please test from your side. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-29 21:26:34 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#46575