CVE-2026-44562 Overview
CVE-2026-44562 is a broken access control vulnerability in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. The flaw exists in the POST /api/v1/models/import endpoint in versions prior to 0.9.0. Authenticated users with the workspace.models_import permission can overwrite any existing model in the database, regardless of ownership. The endpoint merges attacker-supplied payloads over existing model data without ownership validation or access grant enforcement. The vulnerability is tracked under [CWE-283: Unverified Ownership] and is resolved in version 0.9.0.
Critical Impact
Authenticated attackers can overwrite arbitrary models in the database, tampering with model configurations, system prompts, and behavior used by other workspace users.
Affected Products
- Open WebUI versions prior to 0.9.0
- Self-hosted Open WebUI deployments exposing the model import API
- Multi-tenant Open WebUI instances granting workspace.models_import permissions
Discovery Timeline
- 2026-05-15 - CVE-2026-44562 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-44562
Vulnerability Analysis
The vulnerability resides in the POST /api/v1/models/import endpoint of Open WebUI. The endpoint allows users holding the workspace.models_import permission to import model definitions into the database. When an imported model's ID matches an existing record, the handler merges the attacker's payload over the existing model data and writes the result to the database.
The handler performs the merge and write without validating model ownership. Unlike other model mutation endpoints, the import path never calls filter_allowed_access_grants. This omission bypasses the access grant restrictions that gate every other model write operation. Any authenticated user with the import permission can target a model owned by another user or workspace.
The vulnerability falls under [CWE-283: Unverified Ownership]. Confidentiality is not affected, but integrity impact is high because attackers can alter model parameters, system prompts, and connected tool configurations consumed by downstream users.
Root Cause
The import endpoint treats matching model IDs as an update operation but skips the authorization checks applied to direct update endpoints. The missing call to filter_allowed_access_grants removes the ownership and access grant validation present elsewhere in the codebase.
Attack Vector
An authenticated attacker with the workspace.models_import permission sends a crafted POST request to /api/v1/models/import. The payload specifies an existing model ID owned by another user. The server merges the attacker's fields, including system prompts, parameters, and tool configurations, over the original model and persists the change. Downstream users querying that model receive the tampered version.
No verified public exploit code is available. Refer to the GitHub Security Advisory GHSA-mqq6-cqcx-38vg for additional technical context.
Detection Methods for CVE-2026-44562
Indicators of Compromise
- Unexpected modifications to model records, particularly changes to system_prompt, params, or tool bindings on models not owned by the requesting user
- HTTP POST requests to /api/v1/models/import containing model IDs that match pre-existing records in the database
- Audit log entries showing model updates without a corresponding direct edit by the model owner
Detection Strategies
- Inspect application logs for POST requests to /api/v1/models/import and correlate the request user ID against the ownership of the referenced model ID
- Enable database-level audit logging on the models table to capture row-level changes, including the actor performing each write
- Alert on any successful import where the resulting model's owner field differs from the authenticated request user
Monitoring Recommendations
- Forward Open WebUI application and reverse proxy logs to a centralized SIEM for correlation
- Track baseline frequency of models/import calls per user and alert on deviations
- Review the audit trail of high-value models (those backing production assistants or shared tools) on a recurring schedule
How to Mitigate CVE-2026-44562
Immediate Actions Required
- Upgrade Open WebUI to version 0.9.0 or later, which removes the unauthorized overwrite path
- Audit the workspace.models_import permission assignments and remove it from accounts that do not require model import capability
- Review existing models for signs of unauthorized modification and restore from backups where tampering is suspected
Patch Information
The vulnerability is fixed in Open WebUI 0.9.0. The patch adds ownership validation and invokes filter_allowed_access_grants on the import endpoint, aligning its authorization behavior with other model mutation endpoints. See the GitHub Security Advisory GHSA-mqq6-cqcx-38vg for full release notes.
Workarounds
- Restrict the workspace.models_import permission to trusted administrators only until the upgrade is applied
- Place Open WebUI behind a reverse proxy that blocks or rate-limits requests to /api/v1/models/import
- Take regular database backups of the models table to enable rapid recovery from unauthorized overwrites
# Upgrade Open WebUI via Docker
docker pull ghcr.io/open-webui/open-webui:0.9.0
docker stop open-webui
docker rm open-webui
docker run -d -p 3000:8080 \
-v open-webui:/app/backend/data \
--name open-webui \
ghcr.io/open-webui/open-webui:0.9.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
