Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
AC:H reflects multi-step precondition chain; PR:L for prior authenticated account; I:L added because unauthorized scheduled execution represents an integrity violation beyond mere resource consumption.
Primary rating from Vendor (GitHub_M).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionNVD
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0, execute_automation rehydrated automation owners without rechecking that they were still active or still had features.automations, and check_model_access only enforced private-model grants for the exact user role, allowing deactivated pending users to continue scheduled model execution. This issue is fixed in version 0.10.0.
AnalysisAI
Improper authorization in Open WebUI 0.9.x allows deactivated or pending users to continue executing scheduled AI model automations after their accounts should have lost that capability. The execute_automation function rehydrated automation owners without re-verifying that the owner account was still active or still held the features.automations permission, and check_model_access enforced private-model grants only against the current user role at the time of check rather than re-validating eligibility at execution time. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three specific preconditions: (1) a user account in Open WebUI 0.9.x that was previously active and in a state with `features.automations` enabled, (2) that user must have created at least one scheduled automation before account deactivation or transition to 'pending' status, and (3) the account must have been deactivated or moved to pending status without those automations being explicitly removed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.1 score of 3.1 (Low) is consistent with the realistic threat model: AV:N indicates network reachability, but AC:H captures the multi-step precondition chain (an account must have been active, created automations, and then been deactivated), and PR:L requires that the attacker already holds a user-level account foothold. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An administrator deactivates a user account (e.g., an employee departure or policy violation), but that user had previously configured scheduled model automations. On the next scheduled trigger, `execute_automation` loads the user's automation without re-validating the account's active status or `features.automations` entitlement, and `check_model_access` passes because the cached role still matches the stored grant. … |
| Remediation | Upgrade to Open WebUI v0.10.0, which resolves the issue by adding live user-status and feature-entitlement re-checks within `execute_automation` and correcting the role-scoped model access enforcement in `check_model_access`. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Open Webui
View allA vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session
An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the
A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui
A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Sit
Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traver
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a St
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Se
A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. Rated high severity (CV
In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing u
In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handlin
The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF)
In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42620