What it is
Open WebUI (formerly Ollama WebUI) is the most popular self-hosted chat interface for local LLMs. It looks like ChatGPT, talks to Ollama or any OpenAI-compatible backend, supports multi-user accounts, RAG document upload, and has become the de-facto control panel for self-hosted AI. LibreChat, Chatbot UI, and a handful of others share the niche.
What goes wrong
Open WebUI ships with open registration enabled by default: visit the URL, click “Sign up”, you’re inside. The first user is silently promoted to administrator, and admin accounts can read every other user’s chat history, upload arbitrary RAG documents into the shared knowledge base, and route prompts through any configured backend at the operator’s expense. When the operator never bothers to disable signups (and very few do), anyone who finds the IP becomes a peer user with full access to the whole multi-tenant shared corpus.
How we test
We confirm Open WebUI by its /manifest.json and the very specific bundle
hash of its frontend, then test the registration endpoint with a benign
account creation. We do not enumerate other users’ chats; the proof of
exposure is the successful account itself, which we screenshot and report.
Where the deployment connects to a backend gateway (LiteLLM, OneAPI), we
note which provider’s API key the operator is paying for. That’s the
quota-drain story that makes the disclosure land.