CVE-2026-44554
Open WebUI · Open WebUI
Open WebUI suffers from a missing authorization vulnerability, allowing authenticated users to perform unauthorized actions due to improper capability checks.
Executive summary
A missing authorization vulnerability in Open WebUI allows authenticated attackers to perform unauthorized actions, potentially leading to significant integrity and availability impacts.
Vulnerability
This is a CWE-862 (Missing Authorization) vulnerability where the application fails to verify if a user has the necessary permissions to execute specific functions. The CVSS vector indicates that while the attack requires low privileges (authenticated), it can be performed remotely by a malicious actor.
Business impact
The vulnerability poses a significant risk to the integrity and availability of the AI platform. A successful exploit could allow an unauthorized user to manipulate system configurations or disrupt services, potentially leading to data manipulation or system downtime. The CVSS score of 8.1 reflects the high impact on integrity and availability, necessitating prompt remediation.
Remediation
Immediate Action: Update the Open WebUI package to version 0.9.0 or later immediately.
Proactive Monitoring: Monitor system access logs for unusual administrative activity or requests to sensitive API endpoints by standard user accounts.
Compensating Controls: Implement strict network access controls to restrict access to the WebUI interface to trusted internal segments only.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the CVSS score of 8.1 and the ease of exploitation for authenticated users, organizations should prioritize updating their Open WebUI instances to version 0.9.0 without delay. Failure to patch may expose the platform to unauthorized configuration changes or service disruption.