Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/models/import endpoint allows users with the workspace.models_import permission to overwrite any existing model in the database, regardless of ownership. When an imported model's ID matches an existing model, the endpoint merges the attacker's payload over the existing model data and writes it to the database with no ownership or access grant validation. Additionally, filter_allowed_access_grants is never called, bypassing the access grant restrictions enforced on all other model mutation endpoints. This vulnerability is fixed in 0.9.0.
Published: 2026-05-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a user who possesses the workspace.models_import permission to replace any existing model in the Open WebUI database. By sending a POST request to /api/v1/models/import with a model ID that matches an existing one, the attacker’s payload is merged over the current model data and written back to the database without any ownership or access grant validation. This effectively bypasses the system’s authorization checks for model mutation, permitting an attacker to alter or replace models arbitrarily.

Affected Systems

The flaw exists in the open-webui open-webui application before version 0.9.0. Users running any pre‑0.9.0 release are affected. The issue is resolved in 0.9.0 and later releases.

Risk and Exploitability

The CVSS score is 6.5, indicating a medium severity vulnerability. No EPSS score is available, so the current exploitation probability is unknown, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely achieved via authenticated API access to the import endpoint; the vulnerability requires an attacker to have workspace.models_import permission. Once exploited, the attacker can overwrite any model, potentially compromising the integrity of the system and the correctness of AI responses. Given the scope of impact—affecting all users who rely on the overwritten model—organisations should treat this as a serious operational risk.

Generated by OpenCVE AI on May 15, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade open-webui to version 0.9.0 or later to apply the vendor‑supplied fix
  • Immediately review and restrict the workspace.models_import permission, granting it only to trusted administrators
  • Consider disabling or protecting the /api/v1/models/import endpoint during application operation, and monitor for unauthorized import activity

Generated by OpenCVE AI on May 15, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mqq6-cqcx-38vg Open WebUI's Model Import Overwrites Any Model Without Ownership Check
History

Fri, 15 May 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Fri, 15 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/models/import endpoint allows users with the workspace.models_import permission to overwrite any existing model in the database, regardless of ownership. When an imported model's ID matches an existing model, the endpoint merges the attacker's payload over the existing model data and writes it to the database with no ownership or access grant validation. Additionally, filter_allowed_access_grants is never called, bypassing the access grant restrictions enforced on all other model mutation endpoints. This vulnerability is fixed in 0.9.0.
Title Open WebUI: Model Import Overwrites Any Model Without Ownership Check
Weaknesses CWE-283
CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T22:21:49.822Z

Reserved: 2026-05-06T20:59:00.595Z

Link: CVE-2026-44562

cve-icon Vulnrichment

Updated: 2026-05-15T22:14:45.846Z

cve-icon NVD

Status : Received

Published: 2026-05-15T20:16:47.873

Modified: 2026-05-15T20:16:47.873

Link: CVE-2026-44562

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T21:30:08Z

Weaknesses