issue: Uncaught ValueError in APIKeyRestrictionMiddleware causes HTTP 500 on malformed Authorization header

[ThanosTsiamis]

Check Existing Issues

• I have searched for any existing and/or related issues.
• I have searched for any existing and/or related discussions.
• I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
• I am using the latest version of Open WebUI.

Installation Method

Git Clone

Open WebUI Version

v0.7.2

Ollama Version (if applicable)

No response

Operating System

macOS Tahoe

Browser (if applicable)

No response

Confirmation

• I have read and followed all instructions in README.md.
• I am using the latest version of both Open WebUI and Ollama.
• I have included the browser console logs.
• I have included the Docker container logs.
• I have provided every relevant configuration, setting, and environment variable used in my setup.
• I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
• I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
• Start with the initial platform/version/OS and dependencies used,
• Specify exact install/launch/configure commands,
• List URLs visited, user input (incl. example values/emails/passwords if needed),
• Describe all options and toggles enabled or changed,
• Include any files or environmental changes,
• Identify the expected and actual result at each stage,
• Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

The server should handle malformed Authorization headers gracefully. If a client sends a header with irregular spacing (e.g., double spaces) or missing components, the server should catch the parsing error and return a 401 Unauthorized or 400 Bad Request response, rather than crashing the request handler.

Actual Behavior

When a malformed Authorization header is received (specifically one that causes split(" ") to return more or fewer than 2 items), the application raises an uncaught ValueError. This causes the Uvicorn worker to crash on that specific request and return a 500 Internal Server Error to the client.

Steps to Reproduce

1. Deploy Open WebUI (verified on version 0.7.2) using Docker or pip install.

2. Start the server (e.g., open-webui serve).

3. Open a terminal and send a request with a malformed Authorization header. Note the double space between "Bearer" and the token string in the command below:

curl -I -X GET "https://localhost:8080/" -H "Authorization: Bearer  invalid-token"

Observe the HTTP response status code is 500 Internal Server Error.

Check the server console logs to see the Python traceback.

Logs & Screenshots

~ curl -X GET "https://localhost:8080/" -H "Authorization: Bearer  invalid-token"
Internal Server Error%

Additional Information

No response

[ThanosTsiamis]

I have implemented a fix for this issue in my fork by adding error handling to the header parsing logic. If this approach looks correct to the maintainers, I am ready to submit a Pull Request.

Fix Branch: https://github.com/ThanosTsiamis/open-webui/tree/fix/middleware-auth-header-crash

[tjbck]

Addressed in dev.