Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is set to pending. In this configuration, an administrator is required to go into the Admin management panel following a new user registration and reconfigure the user to have a role of either user or admin before that user is able to access the web application. This vulnerability is fixed in 0.1.124.
Published: 2026-05-15
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open WebUI fails to confirm that a user has an authorized role before granting access. By default, newly registered users are assigned a pending status, requiring an administrator to manually change the role to user or admin. Because this step is not enforced by the API, an attacker who registers a new account can immediately gain access to the application with the pending role, potentially exposing sensitive data or enabling further exploitation.

Affected Systems

The flaw affects installations of open-webui:open-webui that are running versions before 0.1.124. The vulnerability is tied to the user role validation logic shipped with those releases.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity level, while the EPSS score is unavailable. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw by simply creating a new account when sign‑ups are enabled, and no special privileges are required. Once the pending user gains access, the attacker may perform any action permitted to that role, making the risk of unauthorized data disclosure or further compromise significant.

Generated by OpenCVE AI on May 15, 2026 at 22:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Open WebUI 0.1.124 or later to enforce proper role validation.
  • Disable new user registrations in the configuration if sign‑ups are not required, preventing the creation of pending accounts.
  • Audit existing pending accounts, manually approve or delete them, and monitor for unauthorized activity.

Generated by OpenCVE AI on May 15, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4vg5-rp28-gvjf Open WebUI has Improper Authorization Control
History

Fri, 15 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Fri, 15 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is set to pending. In this configuration, an administrator is required to go into the Admin management panel following a new user registration and reconfigure the user to have a role of either user or admin before that user is able to access the web application. This vulnerability is fixed in 0.1.124.
Title Open WebUI: Open WebUI Improper Authorization Control
Weaknesses CWE-602
CWE-863
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T20:59:17.794Z

Reserved: 2026-05-06T20:59:00.595Z

Link: CVE-2026-44567

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-15T22:16:53.050

Modified: 2026-05-15T22:16:53.050

Link: CVE-2026-44567

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T23:00:14Z

Weaknesses