CVE-2026-44559 Overview
CVE-2026-44559 is a missing authorization vulnerability [CWE-862] in Open WebUI, a self-hosted artificial intelligence platform designed to operate offline. The flaw affects the GET /api/v1/channels/{id}/members endpoint in versions prior to 0.9.0. The endpoint only enforces access checks for group and dm channel types. Standard channels, including private ones, skip the channel_has_access check entirely. Any authenticated user who knows a private channel's UUID can enumerate every user with access to that channel. The issue is patched in version 0.9.0.
Critical Impact
Authenticated users can disclose the membership of private channels by querying the channel members API endpoint with a known UUID.
Affected Products
- Open WebUI versions prior to 0.9.0
- Self-hosted Open WebUI deployments exposing the channels API
- Multi-tenant Open WebUI instances with private channel usage
Discovery Timeline
- 2026-05-15 - CVE-2026-44559 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-44559
Vulnerability Analysis
The vulnerability resides in the channel members API handler. When a client issues a GET request to /api/v1/channels/{id}/members, the server returns the list of users associated with the supplied channel UUID. The handler branches on channel type and applies the channel_has_access authorization check only when the channel type is group or dm. Standard channels, including those marked private, fall through without any membership validation. The server then returns the member list to the caller. An authenticated attacker who obtains or guesses a channel UUID can map the full set of users that have access to that channel, revealing organizational structure and private collaboration boundaries.
Root Cause
The root cause is missing function-level authorization in the channel members endpoint at lines 467-469 of the affected handler. Authorization logic is gated behind a conditional that only fires for group and dm channel types, leaving standard and private channel types without an access control gate before the member list is returned.
Attack Vector
Exploitation requires network access to the Open WebUI API and a valid authenticated session. The attacker supplies a known or leaked channel UUID to the members endpoint and receives the membership roster without being a member. No user interaction is required, and the attack does not modify data or affect availability.
No public proof-of-concept code is referenced in the advisory. Refer to the Open WebUI GitHub Security Advisory GHSA-c7wp-3qh5-55pv for vendor technical details.
Detection Methods for CVE-2026-44559
Indicators of Compromise
- Repeated authenticated GET requests to /api/v1/channels/{id}/members from a single user account across many distinct channel UUIDs.
- API access patterns where a user queries member lists for channels they are not a documented member of.
- Unusual UUID enumeration sequences in Open WebUI access logs targeting the channels endpoint.
Detection Strategies
- Parse Open WebUI HTTP access logs and alert when a single session enumerates members across more channels than a baseline threshold within a short window.
- Correlate channel_id values in API logs against channel membership records to identify queries from non-members.
- Flag any access to the members endpoint where the requesting user lacks a corresponding entry in the channel ACL.
Monitoring Recommendations
- Forward Open WebUI application and reverse proxy logs to a centralized analytics pipeline for behavioral baselining.
- Track the rate of /api/v1/channels/*/members requests per authenticated principal and alert on outliers.
- Audit channel UUID exposure in logs, error messages, and client-side artifacts that could aid an attacker in enumeration.
How to Mitigate CVE-2026-44559
Immediate Actions Required
- Upgrade Open WebUI to version 0.9.0 or later on all self-hosted deployments.
- Review existing private channel membership and assume membership metadata may have been disclosed if the instance was exposed to untrusted authenticated users.
- Rotate or invalidate any sensitive channel UUIDs that were previously embedded in shared links or external systems.
Patch Information
The vendor fixed CVE-2026-44559 in Open WebUI 0.9.0 by enforcing the channel_has_access check for standard and private channel types in the members endpoint. See the Open WebUI GitHub Security Advisory GHSA-c7wp-3qh5-55pv for the patch reference.
Workarounds
- Restrict Open WebUI API access to trusted users through network-level controls such as VPN, SSO, or IP allowlists until the upgrade can be applied.
- Disable or limit creation of private channels on vulnerable instances to reduce the disclosure surface.
- Audit authenticated user accounts and revoke unnecessary sessions before patching to limit pre-patch exploitation windows.
# Configuration example: upgrade Open WebUI container to the patched release
docker pull ghcr.io/open-webui/open-webui:0.9.0
docker stop open-webui
docker rm open-webui
docker run -d --name open-webui \
-p 3000:8080 \
-v open-webui:/app/backend/data \
ghcr.io/open-webui/open-webui:0.9.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
