github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #21571] issue: SWAGGER API is accessible without token with disabled API #58187

New Issue
Closed
opened 2026-05-05 22:30:12 -05:00 by GiteaMirror · 5 comments
GiteaMirror commented 2026-05-05 22:30:12 -05:00
Owner
Copy Link

Originally created by @Atrocraz on GitHub (Feb 18, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/21571

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

0.8.3

Ollama Version (if applicable)

No response

Operating System

Ubuntu 22.04

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

  1. Swagger API can not be executed without providing Bearer token via UI.
  2. Swagger API can not be executed, if API Keys are disabled in settings.

Actual Behavior

Swagger API endpoints can be executed just by going /docs#/ endpoint while you are authorized in OWUI no matter if "Admin panel-> Settings -> General -> Enable API Keys" is on or off and user doesn't have permission to use API Keys.

I guess it doesnt check API key since user is authorized in OWUI.

Steps to Reproduce

  1. Launch your OWUI via docker as usual
  2. Authorize in OWUI
  3. Go to /docs#/ endpoint
  4. Execute any endpoint (even if it does require authorization).

Logs & Screenshots

Additional Information

No response

Originally created by @Atrocraz on GitHub (Feb 18, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/21571 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version 0.8.3 ### Ollama Version (if applicable) _No response_ ### Operating System Ubuntu 22.04 ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior 1) Swagger API can not be executed without providing Bearer token via UI. 2) Swagger API can not be executed, if API Keys are disabled in settings. ### Actual Behavior Swagger API endpoints can be executed just by going /docs#/ endpoint while you are authorized in OWUI no matter if "Admin panel-> Settings -> General -> Enable API Keys" is on or off and user doesn't have permission to use API Keys. I guess it doesnt check API key since user is authorized in OWUI. ### Steps to Reproduce 1. Launch your OWUI via docker as usual 2. Authorize in OWUI 3. Go to /docs#/ endpoint 4. Execute any endpoint (even if it does require authorization). ### Logs & Screenshots - ### Additional Information _No response_
GiteaMirror added the bug label 2026-05-05 22:30:12 -05:00
GiteaMirror commented 2026-05-05 22:30:15 -05:00
Author
Owner
Copy Link

@pr-validator-bot commented on GitHub (Feb 18, 2026):

⚠️ Invalid Issue Title

Hey @Atrocraz, please provide a descriptive title for your issue. Titles that are empty, very short (under 10 characters), or generic (like "issue:" or "feat:") make it difficult for volunteer contributors to understand and triage issues.

Please update the title to reflect the content of your issue.

⚠️ Missing Issue Title Prefix

@Atrocraz, your issue title is missing a prefix (e.g., bug:, feat:, docs:).

Please update your issue title to include one of the following prefixes:

  • bug: Bug report or error you've encountered
  • feat: Feature request or enhancement suggestion
  • docs: Documentation issue or improvement request
  • question: Question about usage or functionality
  • help: Request for help or support

Example: bug: Login fails when using special characters in password

<!-- gh-comment-id:3921107648 --> @pr-validator-bot commented on GitHub (Feb 18, 2026): # ⚠️ Invalid Issue Title Hey @Atrocraz, please provide a descriptive title for your issue. Titles that are empty, very short (under 10 characters), or generic (like "issue:" or "feat:") make it difficult for volunteer contributors to understand and triage issues. Please update the title to reflect the content of your issue. --- # ⚠️ Missing Issue Title Prefix @Atrocraz, your issue title is missing a prefix (e.g., `bug:`, `feat:`, `docs:`). Please update your issue title to include one of the following prefixes: - **bug**: Bug report or error you've encountered - **feat**: Feature request or enhancement suggestion - **docs**: Documentation issue or improvement request - **question**: Question about usage or functionality - **help**: Request for help or support Example: `bug: Login fails when using special characters in password`
GiteaMirror commented 2026-05-05 22:30:16 -05:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Feb 18, 2026):

intended, JWT can execute swagger endpoints, since you are authenticated with JWT

<!-- gh-comment-id:3921316007 --> @Classic298 commented on GitHub (Feb 18, 2026): intended, JWT can execute swagger endpoints, since you are authenticated with JWT
GiteaMirror commented 2026-05-05 22:30:16 -05:00
Author
Owner
Copy Link

@Atrocraz commented on GitHub (Feb 18, 2026):

intended, JWT can execute swagger endpoints, since you are authenticated with JWT

Thanks for answer!
Can you explain then, please, what exactly does "Enable API Keys" option do? It sounds like it should enable\disable all API requests, but they are still available in swagger?

<!-- gh-comment-id:3921743664 --> @Atrocraz commented on GitHub (Feb 18, 2026): > intended, JWT can execute swagger endpoints, since you are authenticated with JWT Thanks for answer! Can you explain then, please, what exactly does "Enable API Keys" option do? It sounds like it should enable\disable all API requests, but they are still available in swagger?
GiteaMirror commented 2026-05-05 22:30:18 -05:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Feb 18, 2026):

The Enable API Keys toggle only controls the use of static sk-... tokens. It does not shut down the API or block access to /docs.
Open WebUI is a "headless" application; the frontend is a SvelteKit app that talks to the FastAPI backend via the same API you see in Swagger. If the API were disabled, the website itself would break.
Key Points:

  • JWT vs. API Keys: When you are logged into the web UI, your browser uses a JWT (JSON Web Token). Swagger inherits this session. You aren't bypassing security; you are using your existing, authenticated identity.
  • Permissions: Swagger still enforces your user role. If a regular user tries to call an admin endpoint through /docs, the backend will return a 403 Forbidden.
  • The Toggle's Purpose: Turning off "Enable API Keys" prevents users from creating permanent tokens for external scripts. It does not stop the web interface (or the user's active session) from using the API.
<!-- gh-comment-id:3921813626 --> @Classic298 commented on GitHub (Feb 18, 2026): The Enable API Keys toggle only controls the use of static sk-... tokens. It does not shut down the API or block access to /docs. Open WebUI is a "headless" application; the frontend is a SvelteKit app that talks to the FastAPI backend via the same API you see in Swagger. If the API were disabled, the website itself would break. Key Points: * JWT vs. API Keys: When you are logged into the web UI, your browser uses a JWT (JSON Web Token). Swagger inherits this session. You aren't bypassing security; you are using your existing, authenticated identity. * Permissions: Swagger still enforces your user role. If a regular user tries to call an admin endpoint through /docs, the backend will return a 403 Forbidden. * The Toggle's Purpose: Turning off "Enable API Keys" prevents users from creating permanent tokens for external scripts. It does not stop the web interface (or the user's active session) from using the API.
GiteaMirror commented 2026-05-05 22:30:21 -05:00
Author
Owner
Copy Link

@Atrocraz commented on GitHub (Feb 19, 2026):

Thanks for explaining it for me, really appreciate it!

<!-- gh-comment-id:3928165676 --> @Atrocraz commented on GitHub (Feb 19, 2026): Thanks for explaining it for me, really appreciate it!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#58187
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?