CVE-2026-44563 - Vulnerability Details

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /api/generate, /api/embed, /api/embeddings, and /api/show endpoints accept any model name from the user and forward the request to the Ollama backend without checking whether the user is authorized to access that model. These endpoints only require get_verified_user (any authenticated non-pending user) and validate that the model exists in the full unfiltered model list, but never check AccessGrants.has_access(). This vulnerability is fixed in 0.9.0.

Published: 2026-05-15

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Open WebUI’s /api/generate, /api/embed, /api/embeddings, and /api/show endpoints accepted any user‑supplied model name without verifying that the caller had permission to use that model. As a result, any authenticated, non‑pending user could execute requests against any Ollama model, potentially accessing or processing data that should be restricted. This is an access‑control bypass and the weakness is identified as CWE‑862.

Affected Systems

Vulnerable configurations are deployments of Open WebUI prior to version 0.9.0, which is the self‑hosted artificial intelligence platform from the open-webui project. The issue applies to all builds of the software that do not incorporate the 0.9.0 fix, and it affects every user who can authenticate to the web UI but does not have administrative approval for specific models.

Risk and Exploitability

The severity rating of 5.4 on the CVSS vector places the issue in the medium range. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only that the attacker obtains a valid authenticated session; no additional privileges are needed. Because the endpoints are reachable over HTTP/HTTPS, the threat is practical for anyone with network access to the host. In the absence of evidence of active exploitation, the risk remains medium but should be mitigated promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

open-webui

affected

Version	Status	Constraints
`< 0.9.0`	affected	—

No data.

Vendor Product Confidence Versions

Open-webui

100%

Version	Status	Scheme	Platform
`[0,0.9.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official update to Open WebUI 0.9.0 or later to address the missing access check.
Confirm that the deployment employs strict authentication and limits user roles; only authorized users should be allowed to access the application, especially if it is exposed to external networks.
Verify that the implementation of model‑invoke endpoints includes a proper AccessGrants.has_access() check, and if custom modifications exist, re‑implement the check to prevent unauthorized model access.

Generated by OpenCVE AI on May 15, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-rcvp-6fgw-c7fh	Open WebUI's Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/open-webui/open-webui/security/advisories/GHSA-rcvp-6fgw-c7fh

History

Fri, 15 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Open-webui Open-webui open-webui
Vendors & Products		Open-webui Open-webui open-webui

Fri, 15 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /api/generate, /api/embed, /api/embeddings, and /api/show endpoints accept any model name from the user and forward the request to the Ollama backend without checking whether the user is authorized to access that model. These endpoints only require get_verified_user (any authenticated non-pending user) and validate that the model exists in the full unfiltered model list, but never check AccessGrants.has_access(). This vulnerability is fixed in 0.9.0.
Title		Open WebUI: Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show
Weaknesses		CWE-862
References		https://github.com/open-webui/open-webui/security/advisories/GHSA-rcvp-6fgw-c7fh
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L'}`

Subscriptions

Open-webui Open-webui

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-15T19:28:25.270Z

Updated: 2026-05-15T19:28:25.270Z

Reserved: 2026-05-06T20:59:00.595Z

Link: CVE-2026-44563

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-15T20:16:48.000

Modified: 2026-05-15T20:16:48.000

Link: CVE-2026-44563

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-15T21:30:08Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object