Skip to main content

Open WebUI CVE-2026-44556

| EUVDEUVD-2026-30624 HIGH
Improper Access Control (CWE-284)
2026-05-08 https://github.com/open-webui/open-webui GHSA-hp5m-24vp-vq2q
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 20:33 vuln.today
Analysis Generated
May 08, 2026 - 20:33 vuln.today
CVE Published
May 08, 2026 - 19:45 nvd
HIGH 7.1

DescriptionGitHub Advisory

Summary

The /responses endpoint in the OpenAI router accepts any authenticated user and forwards requests directly to upstream LLM providers without enforcing per-model access control. While the primary chat completion endpoint (generate_chat_completion) checks model ownership, group membership, and AccessGrants before allowing a request, the /responses proxy only validates that the user has a valid session via get_verified_user.

This allows any authenticated user - regardless of role or group assignment - to interact with any model configured on the instance by sending a POST request to /api/openai/responses with an arbitrary model ID.

Impact

As per OWASP TOP 10 LLM:

  • Model Denial of Service (OWASP LLM04): An unauthorized user can submit resource-intensive requests to expensive models (e.g., o1-pro, GPT-4o) that were explicitly restricted by the administrator. In shared deployments, this can exhaust API budgets or rate limits, causing total service disruption for all legitimate users.
  • Model Theft (OWASP LLM10): If the instance proxies access to fine-tuned or self-hosted models, unauthorized users can freely interact with them, enabling capability extraction or model distillation without authorization.
  • Access Policy Bypass: Administrators lose the ability to enforce cost-tier restrictions, team-based model assignments, or compliance boundaries through the existing access control system.

The endpoint is a raw passthrough proxy and does not resolve workspace model configurations (system prompts, knowledge bases, RAG pipelines). Therefore, workspace-specific confidential data is not directly exposed through this vector.

PR: https://github.com/open-webui/open-webui/pull/23481

AnalysisAI

Open WebUI versions through 0.8.12 allow any authenticated user to bypass model access controls and interact with restricted LLM models via the /api/openai/responses endpoint. The vulnerability permits low-privilege users to consume expensive models (GPT-4o, o1-pro) restricted by administrators, enabling budget exhaustion and denial of service against legitimate users in multi-tenant deployments. Publicly available exploit code exists via GitHub PR #23481. Vendor-released patch available in version 0.9.0. CVSS 7.1 (High) reflects network-accessible attack with low complexity requiring only basic authentication, yielding high availability impact and low confidentiality impact.

Technical ContextAI

Open WebUI is a Python-based web interface (distributed via PyPI as pkg:pip/open-webui) that proxies requests to upstream LLM providers including OpenAI, Anthropic, and self-hosted models. The platform implements role-based access control (RBAC) with user roles, group memberships, and AccessGrants to enforce per-model authorization. The primary chat completion endpoints (generate_chat_completion, generate_openai_completion) correctly validate model access by checking user ownership, group membership, and explicit grants before forwarding requests. However, the /responses endpoint in routers/openai.py only validates session tokens via get_verified_user without invoking the access control logic. This creates a parallel code path that bypasses the authorization layer entirely. The vulnerability maps to CWE-284 (Improper Access Control), a class of authorization flaws where authentication is present but permission checks are missing or incomplete. The GitHub PR diff shows the fix introduces a centralized check_model_access() function called before proxying requests, consolidating previously duplicated authorization logic across all endpoints.

RemediationAI

Upgrade to Open WebUI version 0.9.0 immediately, which introduces centralized access control via the check_model_access() function across all proxy endpoints including /responses (vendor advisory: https://github.com/open-webui/open-webui/security/advisories/GHSA-hp5m-24vp-vq2q, patch PR: https://github.com/open-webui/open-webui/pull/23481). For environments unable to upgrade immediately, implement compensating controls by restricting network access to the /api/openai/responses endpoint via reverse proxy rules (e.g., nginx location blocks returning 403 for non-admin users) or WAF policies. This workaround prevents exploitation but does not fix the underlying authorization gap and may break legitimate functionality if the responses endpoint is actively used. Alternatively, disable user registration and limit instance access to trusted administrators only, converting to single-user mode until patching is feasible. Review API usage logs for suspicious POST requests to /api/openai/responses with model IDs outside assigned user permissions to detect potential exploitation. The patch has no known side effects and does not alter API contracts or configuration requirements.

Share

CVE-2026-44556 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy