Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44555

CVE-2026-44555: Open WebUI Auth Bypass Vulnerability

CVE-2026-44555 is an authentication bypass flaw in Open WebUI that lets users access restricted base models by chaining them through user-defined models. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-44555 Overview

CVE-2026-44555 is a broken access control vulnerability [CWE-862] in Open WebUI, a self-hosted artificial intelligence platform. Versions prior to 0.9.0 fail to re-verify user access to base models referenced through the base_model_id parameter during model composition. Any authenticated user with default model creation permission can create a composed model that chains to a restricted base model, then invoke it. The server dispatches the request to the restricted model using the admin-configured API key. The issue is fixed in version 0.9.0.

Critical Impact

Low-privileged users can bypass access controls to invoke restricted AI models and consume admin-configured API keys, leading to unauthorized inference and potential billing abuse.

Affected Products

  • Open WebUI versions prior to 0.9.0
  • Self-hosted deployments using model composition with base_model_id
  • Multi-tenant Open WebUI instances with restricted base models

Discovery Timeline

  • 2026-05-15 - CVE-2026-44555 published to NVD
  • 2026-05-19 - Last updated in NVD database

Technical Details for CVE-2026-44555

Vulnerability Analysis

Open WebUI supports model composition through the base_model_id field. A user can define a custom model such as Cheap Assistant that delegates inference to an existing base model such as gpt-4-turbo-restricted. The access control pipeline checks whether the caller can access the composed (wrapper) model. It does not re-check access to the underlying base model referenced by base_model_id.

The model creation and import endpoints compound the issue. They accept arbitrary base_model_id values without validating that the caller has permission to use the referenced base model. An attacker with only the default model creation permission can therefore construct a wrapper model pointing at any restricted base model on the server. Invocation of the wrapper triggers the server to forward the request to the restricted base model using the admin-configured API key, defeating the intended access boundary.

Root Cause

The root cause is missing authorization [CWE-862] on the chained model reference. Access checks operate on the composed model identifier instead of resolving the full inference chain and validating each link against the caller's permissions.

Attack Vector

The attack is network-based and requires only low-privilege authenticated access. An attacker authenticates to the Open WebUI API, calls the model creation or import endpoint with a base_model_id pointing at a restricted model, then sends a chat completion request to the newly created wrapper. The server uses admin credentials to serve the response.

No verified public exploit code is available. See the GitHub Security Advisory GHSA-9vvh-qmjx-p4q8 for vendor technical details.

Detection Methods for CVE-2026-44555

Indicators of Compromise

  • Creation of new user-owned models whose base_model_id references a restricted or admin-only base model.
  • Inference traffic to restricted base models originating from low-privileged user accounts.
  • Unexpected spikes in token consumption on admin-configured API keys tied to restricted models.

Detection Strategies

  • Audit the Open WebUI database for model entries where the owning user lacks direct permission on the referenced base_model_id.
  • Correlate model creation API calls with subsequent chat completion requests that resolve to restricted upstream providers.
  • Review API gateway logs for outbound calls to restricted model endpoints triggered by non-admin sessions.

Monitoring Recommendations

  • Enable verbose request logging on Open WebUI and forward to a centralized log platform for analysis.
  • Track per-user token usage against admin-configured API keys and alert on anomalies.
  • Monitor the /api/models/create and /api/models/import endpoints for use of sensitive base_model_id values.

How to Mitigate CVE-2026-44555

Immediate Actions Required

  • Upgrade Open WebUI to version 0.9.0 or later, which enforces access checks across the full model chain.
  • Rotate any admin-configured API keys that may have been exposed to unauthorized inference requests.
  • Review existing user-created models and remove entries chaining to restricted base models.

Patch Information

The vendor fixed the vulnerability in Open WebUI 0.9.0. The patch enforces authorization on the referenced base_model_id at both model creation and inference time. Refer to the GitHub Security Advisory GHSA-9vvh-qmjx-p4q8 for the official advisory.

Workarounds

  • Revoke the default model creation permission for non-administrator users until the upgrade is complete.
  • Restrict the Open WebUI instance to trusted users via network segmentation or an authenticating reverse proxy.
  • Remove restricted base models from the instance and provision them on a separate, isolated deployment.
bash
# Configuration example: disable default model creation for regular users
# In Open WebUI admin settings, set:
ENABLE_MODEL_FILTER=true
USER_PERMISSIONS_MODEL_CREATE=false
USER_PERMISSIONS_MODEL_IMPORT=false

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne