stable-diffusion-webui icon indicating copy to clipboard operation
stable-diffusion-webui copied to clipboard

Published 20 hours ago verified publisher icon AUTOMATIC1111

[Security Alert]: Not all endpoints require authentication even when explicitly enabled

Open MrBruz opened this issue 1 month ago • 1 comments

Checklist

  • [x] The issue exists after disabling all extensions
  • [x] The issue exists on a clean installation of webui
  • [ ] The issue is caused by an extension, but I believe it is caused by a bug in the webui
  • [x] The issue exists in the current version of the webui
  • [x] The issue has not been reported before recently
  • [ ] The issue has been reported before but has not been fixed yet

What happened?

Some manually added endpoints such as /internal/sysinfo can still be called even when authentication is meant to be enforced by Gradio.

Steps to reproduce the problem

  1. Enable Gradio based authentication
  2. Open http://127.0.0.1/internal/sysinfo in an incognito browser window
  3. Notice how it still returns system information even when authentication is enabled.

What should have happened?

It should have required the user to be signed in to return that information.

What browsers do you use to access the UI ?

Mozilla Firefox

Sysinfo

sysinfo-2025-00-00-00-00.json

Console logs

N/A

Additional information

No response

MrBruz avatar Oct 27 '25 02:10 MrBruz

for /internal/sysinfo I have a PR

  • https://github.com/AUTOMATIC1111/stable-diffusion-webui/pull/16755

personally I don't like exposed /internal/sysinfo that's why I decided to make the pr

but as the authentication password should be stripped from /internal/sysinfo response (if you're no using a old version) I believe AUTOMATIC1111 thinks it ok to be exposed and easier to implement at the time

note that endpoints added by extension they will have to enable authentication when adding the route on the extension side

w-e-w avatar Oct 29 '25 19:10 w-e-w