CVE-2026-44558 Overview
CVE-2026-44558 is a missing authorization vulnerability [CWE-862] in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. The flaw resides in the channel router, which fails to invoke filter_allowed_access_grants on both create and update code paths. Non-admin users who can create group channels, or who own a channel, can submit arbitrary access grants. These grants include public wildcard grants and are stored verbatim, bypassing the administrator's permission framework. The issue affects all Open WebUI versions prior to 0.9.0 and is fixed in version 0.9.0.
Critical Impact
Authenticated non-admin users can override administrator-defined access controls and expose channel data through wildcard grants, undermining tenant isolation in multi-user deployments.
Affected Products
- Open WebUI versions prior to 0.9.0
- Self-hosted Open WebUI deployments with non-admin users permitted to create group channels
- Open WebUI instances where users own channels and can modify access grants
Discovery Timeline
- 2026-05-15 - CVE-2026-44558 published to the National Vulnerability Database (NVD)
- 2026-05-19 - Last updated in the NVD database
Technical Details for CVE-2026-44558
Vulnerability Analysis
The vulnerability is a broken access control flaw in Open WebUI's channel router. When a user creates or updates a channel, the router persists supplied access grants directly to storage. The filter_allowed_access_grants function, which is responsible for validating that submitted grants comply with the administrator's permission framework, is not called on either path. As a result, the server accepts grants that the administrator never authorized, including wildcard grants that expose the channel publicly.
The attacker must be authenticated and must hold the ability to create group channels or own an existing channel. Once those preconditions are met, the attacker submits crafted grant payloads through the standard channel API. Because the validation layer is skipped, the platform stores and enforces the malicious grants as if they were legitimate.
Root Cause
The root cause is a missing authorization check [CWE-862] in the channel router logic. The create and update handlers omit the call to filter_allowed_access_grants, which is the central enforcement point for grant validation. Without this guardrail, server-side trust is placed in client-supplied grant data.
Attack Vector
Exploitation is network-based and requires low-privilege authentication. An attacker with channel-creation or channel-ownership rights sends an HTTP request to the channel create or update endpoint. The request body contains arbitrary access grants, including wildcard entries that grant public read or write access. The server stores these grants without filtering, and subsequent access decisions honor them.
No verified public exploit or proof-of-concept code is available at the time of publication. Refer to the GitHub Security Advisory GHSA-7rjh-px4v-5w55 for vendor technical details.
Detection Methods for CVE-2026-44558
Indicators of Compromise
- Channel records containing wildcard access grants (for example, entries granting access to all users or public roles) that were not provisioned by an administrator.
- Audit log entries showing channel create or update operations submitted by non-admin accounts immediately followed by grant changes.
- Unexpected access to channel content from accounts or groups outside the administrator-defined permission set.
Detection Strategies
- Compare current channel access grants against the administrator's approved permission baseline and flag any deviations.
- Inspect application logs for channel create and update API calls originating from non-admin users and correlate them with grant modifications.
- Run database queries against the channels table to enumerate grants containing wildcard identifiers or public scope markers.
Monitoring Recommendations
- Enable verbose audit logging on the Open WebUI channel router endpoints and forward events to a centralized logging platform for review.
- Alert on any access grant change performed by accounts that lack administrator role assignments.
- Periodically export and review the full set of channel access grants to detect unauthorized public exposure.
How to Mitigate CVE-2026-44558
Immediate Actions Required
- Upgrade all Open WebUI instances to version 0.9.0 or later, which restores the filter_allowed_access_grants enforcement on create and update paths.
- Audit existing channels for unauthorized wildcard or public grants and revert them to administrator-approved values.
- Restrict the ability to create group channels to trusted users until the upgrade is complete.
Patch Information
Open WebUI version 0.9.0 contains the official fix. The patch ensures the channel router calls filter_allowed_access_grants on both create and update operations, enforcing the administrator's permission framework before persisting any grant. Patch details are documented in the Open WebUI GitHub Security Advisory.
Workarounds
- Remove channel-creation permissions from non-admin user groups until the upgrade is applied.
- Transfer ownership of existing channels to administrator accounts to prevent non-admin grant modifications.
- Implement an out-of-band review process that validates channel access grants against the approved permission baseline on a recurring schedule.
# Configuration example: upgrade Open WebUI container to the patched release
docker pull ghcr.io/open-webui/open-webui:0.9.0
docker stop open-webui && docker rm open-webui
docker run -d --name open-webui \
-p 3000:8080 \
-v open-webui:/app/backend/data \
ghcr.io/open-webui/open-webui:0.9.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
