Skip to main content

Open WebUI EUVDEUVD-2026-42620

| CVE-2026-59226 MEDIUM
Improper Authorization (CWE-285)
2026-07-09 GitHub_M
4.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
LOW
qualitative
NVD
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
4.2 MEDIUM

AC:H reflects multi-step precondition chain; PR:L for prior authenticated account; I:L added because unauthorized scheduled execution represents an integrity violation beyond mere resource consumption.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Severity Changed
Jul 10, 2026 - 02:52 NVD
LOW MEDIUM
CVSS changed
Jul 10, 2026 - 02:52 NVD
3.1 (LOW) 4.3 (MEDIUM)
Patch available
Jul 09, 2026 - 18:01 EUVD
Analysis Generated
Jul 09, 2026 - 17:21 vuln.today

DescriptionNVD

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0, execute_automation rehydrated automation owners without rechecking that they were still active or still had features.automations, and check_model_access only enforced private-model grants for the exact user role, allowing deactivated pending users to continue scheduled model execution. This issue is fixed in version 0.10.0.

AnalysisAI

Improper authorization in Open WebUI 0.9.x allows deactivated or pending users to continue executing scheduled AI model automations after their accounts should have lost that capability. The execute_automation function rehydrated automation owners without re-verifying that the owner account was still active or still held the features.automations permission, and check_model_access enforced private-model grants only against the current user role at the time of check rather than re-validating eligibility at execution time. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
User account deactivated by admin
Delivery
Scheduler fires on previously-created automation
Exploit
execute_automation rehydrates owner without live status check
Execution
check_model_access passes on stale role grant
Persist
Unauthorized model execution proceeds
Impact
Automation outputs delivered to configured destination

Vulnerability AssessmentAI

Exploitation Exploitation requires three specific preconditions: (1) a user account in Open WebUI 0.9.x that was previously active and in a state with `features.automations` enabled, (2) that user must have created at least one scheduled automation before account deactivation or transition to 'pending' status, and (3) the account must have been deactivated or moved to pending status without those automations being explicitly removed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score of 3.1 (Low) is consistent with the realistic threat model: AV:N indicates network reachability, but AC:H captures the multi-step precondition chain (an account must have been active, created automations, and then been deactivated), and PR:L requires that the attacker already holds a user-level account foothold. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An administrator deactivates a user account (e.g., an employee departure or policy violation), but that user had previously configured scheduled model automations. On the next scheduled trigger, `execute_automation` loads the user's automation without re-validating the account's active status or `features.automations` entitlement, and `check_model_access` passes because the cached role still matches the stored grant. …
Remediation Upgrade to Open WebUI v0.10.0, which resolves the issue by adding live user-status and feature-entitlement re-checks within `execute_automation` and correcting the role-scoped model access enforcement in `check_model_access`. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-7053 CRITICAL POC
9.0 Mar 20

A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session

CVE-2024-8017 CRITICAL POC
9.0 Mar 20

An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the

CVE-2024-7044 HIGH POC
8.9 Mar 20

A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui

CVE-2024-7806 HIGH POC
8.8 Mar 20

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Sit

CVE-2024-6707 HIGH POC
8.8 Aug 07

Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traver

CVE-2025-65959 HIGH POC
8.7 Dec 04

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a St

CVE-2025-65958 HIGH POC
8.5 Dec 04

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Se

CVE-2024-7990 HIGH POC
8.4 Mar 20

A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. Rated high severity (CV

CVE-2024-8053 HIGH POC
8.2 Mar 20

In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing u

CVE-2024-7034 HIGH POC
7.2 Mar 20

In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handlin

CVE-2024-7959 HIGH POC
7.7 Mar 20

The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF)

CVE-2024-12537 HIGH POC
7.5 Mar 20

In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker

Share

EUVD-2026-42620 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy