Skip to main content

Open WebUI CVE-2026-44550

| EUVDEUVD-2026-30603 MEDIUM
Missing Authorization (CWE-862)
2026-05-08 https://github.com/open-webui/open-webui GHSA-hr43-rjmr-7wmm
5.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 20:35 vuln.today
Analysis Generated
May 08, 2026 - 20:35 vuln.today
CVE Published
May 08, 2026 - 19:38 nvd
MEDIUM 5.0

DescriptionGitHub Advisory

Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts

Affected Component

Folder creation endpoint and form model:

  • backend/open_webui/models/folders.py (lines 72-77, FolderForm with extra='allow')
  • backend/open_webui/models/folders.py (lines 95-106, insert_new_folder dict construction)
  • backend/open_webui/routers/folders.py (line 119, create_folder endpoint)

Affected Versions

Current main branch (commit 6fdd19bf1) and likely all versions since FolderForm adopted extra='allow'.

Description

FolderForm uses model_config = ConfigDict(extra='allow'), which permits arbitrary fields to pass through Pydantic validation and be included in model_dump(exclude_unset=True). In insert_new_folder, the server-assigned user_id is placed at the start of the dict and then overwritten by the spread of form data:

python
# models/folders.py:95-106
folder = FolderModel(
    **{
        'id': id,
# server
        'user_id': user_id,
# server - overwritten below
        **(form_data.model_dump(exclude_unset=True) or {}),
# user-controlled (extra='allow')
        'parent_id': parent_id,
        'created_at': int(time.time()),
        'updated_at': int(time.time()),
    }
)

Because FolderModel declares user_id: str as a real field (not just a form extra), any attacker-supplied user_id in the POST body is accepted by the model and persisted on the Folder row.

Attack Scenario

  1. Attacker discovers a victim's user ID. User UUIDs commonly leak via the user search endpoint (GET /api/v1/users/search, intentionally accessible to verified users for sharing UI), shared chat metadata, or channel member lists.
  2. Attacker sends:
   POST /api/v1/folders/
   {
     "name": "Important: Click here",
     "user_id": "<victim_user_id>",
     "meta": {"icon": "warning"},
     "data": {...}
   }
  1. Pydantic accepts the extra user_id field (allowed by extra='allow').
  2. insert_new_folder spreads the form data over the server-set 'user_id': user_id, overwriting it with the attacker's value.
  3. The Folder row is persisted with user_id = <victim_user_id>.
  4. The victim sees the attacker-planted folder in their UI on next load because GET /api/v1/folders/ filters by the viewer's own user_id.

The attacker can repeat this to plant multiple folders, use crafted name values for phishing ("Click here to recover account" / "Security alert"), and abuse the meta and data fields to add visual elements that further mimic legitimate content.

Impact

  • Unauthorized write into victim's folder tree
  • Phishing surface: attacker-controlled name, meta, and data render in the victim's UI in a trusted context
  • DoS / spam: attacker can flood a victim with arbitrary folders; victim must manually delete each one
  • Attacker cannot read the folder back - all read paths filter by the caller's own user_id - so confidentiality is preserved, but integrity and trust are compromised

Preconditions

  • Attacker must have an authenticated account with features.folders permission (default for all users)
  • Attacker must know or guess the victim's user UUID (obtainable through various non-sensitive endpoints)

AnalysisAI

Mass assignment vulnerability in Open WebUI's folder creation endpoint allows authenticated attackers to create folders in other users' accounts by exploiting Pydantic's extra='allow' configuration. An attacker with a valid account can supply an arbitrary user_id in the POST request body, overwriting the server-assigned value and persisting folders under a victim's account without their knowledge. The attacker can use this to plant phishing content, spam folders, or degrade user experience for targeted victims.

Technical ContextAI

The vulnerability exists in the folder form model (FolderForm in backend/open_webui/models/folders.py) which uses Pydantic's ConfigDict(extra='allow') setting. This configuration permits arbitrary fields beyond the defined schema to pass through validation and be included in model_dump(exclude_unset=True). In the insert_new_folder function (lines 95-106), the server-assigned user_id is initially set but then overwritten via dictionary spread of the user-controlled form data. Since FolderModel declares user_id as an actual field (not just an extra), Pydantic accepts the attacker-supplied value and the ORM persists it directly to the database. The root cause is CWE-862 (Missing Authorization): the application fails to validate that the user_id being written matches the authenticated user's identity, instead relying on Pydantic validation alone which is insufficient for security-sensitive fields.

RemediationAI

Upgrade Open WebUI to version 0.9.0 or later, which removes the extra='allow' configuration from FolderForm and implements proper server-side validation of user_id. If immediate upgrade is not possible, apply a temporary compensating control by modifying the insert_new_folder function to explicitly reject any user_id value supplied in the request body and always use the authenticated user's own user_id from the request context. This requires code-level patching in backend/open_webui/models/folders.py (lines 95-106) to ensure server-assigned values cannot be overwritten by form data spread. An alternative (less preferred) mitigation is to remove extra='allow' from FolderForm's model_config, converting it to ConfigDict(extra='forbid'), which will cause Pydantic to reject any unexpected fields in the POST body and raise a validation error. This blocks the attack but may break integrations if external systems rely on passing additional fields. See vendor advisory at https://github.com/open-webui/open-webui/security/advisories/GHSA-hr43-rjmr-7wmm for specific patch details.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-44550 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy