Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, FolderForm uses model_config = ConfigDict(extra='allow'), which permits arbitrary fields to pass through Pydantic validation and be included in model_dump(exclude_unset=True). In insert_new_folder, the server-assigned user_id is placed at the start of the dict and then overwritten by the spread of form data. Because FolderModel declares user_id: str as a real field (not just a form extra), any attacker-supplied user_id in the POST body is accepted by the model and persisted on the Folder row. This vulnerability is fixed in 0.9.0.
Published: 2026-05-15
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the use of Pydantic's ConfigDict with extra='allow' in Open WebUI's FolderForm before version 0.9.0. This configuration permits arbitrary fields to pass through validation and be persisted after serialization. Because the FolderModel declares a user_id field, an attacker can supply a user_id in the POST body that overrides the server‑assigned value. The result is that folders can be created under any user account, enabling unauthorized access to that user’s data and potential data disclosure or confusion. This flaw is a classic authorization bypass represented by CWE‑862.

Affected Systems

Open WebUI – the self‑hosted AI platform – affected by all releases before 0.9.0. The fix was applied in version 0.9.0 and later, eliminating the uncontrolled mass assignment of the user_id field. Users running earlier versions that expose the folder creation endpoint are vulnerable.

Risk and Exploitability

The likely attack vector is inferred to be a remote attacker able to send a crafted POST request to the folder creation endpoint; this inference is not directly stated in the input. The CVSS score of 5.0 rates the weakness as medium severity, reflecting that it does not allow arbitrary code execution but does permit a privilege escalation path. No EPSS data is available and the vulnerability is not listed in CISA's KEV catalog. Exploitation requires the ability to send a crafted POST request to the folder creation endpoint; since the application is typically accessed over a network, a remote attacker who can reach the service and potentially gain an authenticated session can exploit it. Once the user_id can be injected, the attacker can create or modify folders under any account, which may lead to inadvertent data exposure or account confusion.

Generated by OpenCVE AI on May 15, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open WebUI to version 0.9.0 or later, where the Mass Assignment flaw has been fixed.
  • If an upgrade is not immediately possible, modify the FolderForm configuration to disallow extra fields (e.g., set ConfigDict(extra='forbid') or perform server‑side validation to reject any user_id supplied by the client).
  • As a temporary measure, restrict write access to the folder creation API by requiring authentication, or disable the public folder creation endpoint until the policy change can be implemented.

Generated by OpenCVE AI on May 15, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hr43-rjmr-7wmm Open WebUI's Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts
History

Fri, 15 May 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Fri, 15 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, FolderForm uses model_config = ConfigDict(extra='allow'), which permits arbitrary fields to pass through Pydantic validation and be included in model_dump(exclude_unset=True). In insert_new_folder, the server-assigned user_id is placed at the start of the dict and then overwritten by the spread of form data. Because FolderModel declares user_id: str as a real field (not just a form extra), any attacker-supplied user_id in the POST body is accepted by the model and persisted on the Folder row. This vulnerability is fixed in 0.9.0.
Title Open WebUI: Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T22:21:43.340Z

Reserved: 2026-05-06T20:59:00.594Z

Link: CVE-2026-44550

cve-icon Vulnrichment

Updated: 2026-05-15T22:16:17.490Z

cve-icon NVD

Status : Received

Published: 2026-05-15T20:16:46.293

Modified: 2026-05-15T20:16:46.293

Link: CVE-2026-44550

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T22:00:12Z

Weaknesses