Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the channel router does not call filter_allowed_access_grants on either create or update paths. A non-admin user who can create group channels (or who owns a channel) can submit arbitrary access grants — including public wildcard grants — and those grants are stored verbatim, bypassing the admin's permission framework. This vulnerability is fixed in 0.9.0.
Published: 2026-05-15
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a non‑admin user who can create or own group channels to submit arbitrary access grants, including public wildcards, that are stored without filtering. This bypasses the platform’s admin‑controlled permission model. The flaw is a classic missing authorization weakness (CWE‑862), enabling unauthorized disclosure and potential abuse of channel data.

Affected Systems

This flaw affects installations of the open‑webui self‑hosted AI platform before version 0‑9‑0. The affected code is the channel router, which omits the filter_allowed_access_grants check on create or update operations.

Risk and Exploitability

The issue has a CVSS base score of 5.4, indicating moderate impact. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. The attack requires the ability to create or own a channel; an attacker with a user account can exploit the route to grant public access, potentially exposing sensitive content. Because the vulnerability does not require elevated privileges or remote exploitation of the server, the threat surface depends on the user base and channel management policies.

Generated by OpenCVE AI on May 15, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the open‑webui application to version 0.9.0 or later to remove the missing authorization check.
  • Restrict the ability to create or modify group channels to administrators only, limiting the population of channels an untrusted user can influence.
  • Periodically audit channel access grants to ensure no unexpected public wildcard permissions exist, and revoke any found.

Generated by OpenCVE AI on May 15, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7rjh-px4v-5w55 Open WebUI's Channel Access Grants Bypass filter_allowed_access_grants
History

Fri, 15 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Fri, 15 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the channel router does not call filter_allowed_access_grants on either create or update paths. A non-admin user who can create group channels (or who owns a channel) can submit arbitrary access grants — including public wildcard grants — and those grants are stored verbatim, bypassing the admin's permission framework. This vulnerability is fixed in 0.9.0.
Title Open WebUI: Channel Access Grants Bypass filter_allowed_access_grants
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T19:43:40.120Z

Reserved: 2026-05-06T20:59:00.595Z

Link: CVE-2026-44558

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-15T20:16:47.350

Modified: 2026-05-15T20:16:47.350

Link: CVE-2026-44558

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T21:30:08Z

Weaknesses