CVE-2026-44563 Overview
CVE-2026-44563 is a missing authorization vulnerability [CWE-862] in Open WebUI, a self-hosted artificial intelligence platform. Versions prior to 0.9.0 expose four Ollama proxy endpoints that fail to enforce per-model access controls. Any authenticated non-pending user can invoke /api/generate, /api/embed, /api/embeddings, and /api/show against models they should not be permitted to access. The endpoints validate that the model exists in the unfiltered model list but never call AccessGrants.has_access(). The maintainers fixed the issue in version 0.9.0.
Critical Impact
Authenticated users can bypass per-model access controls to query restricted Ollama models, leading to unauthorized inference and disclosure of model metadata.
Affected Products
- Open WebUI versions prior to 0.9.0
- Deployments using the Ollama backend integration
- Multi-tenant Open WebUI instances relying on AccessGrants for model isolation
Discovery Timeline
- 2026-05-15 - CVE-2026-44563 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-44563
Vulnerability Analysis
Open WebUI is designed to operate entirely offline and supports multi-user deployments where administrators restrict model access using AccessGrants. The flaw resides in four Ollama proxy endpoints: /api/generate, /api/embed, /api/embeddings, and /api/show. These endpoints accept any model name supplied by the client and forward the request directly to the Ollama backend.
The handlers gate access with get_verified_user, which only confirms that the caller is an authenticated, non-pending account. The handlers then confirm that the requested model exists in the full unfiltered model catalog. They do not invoke AccessGrants.has_access() to verify whether the caller is permitted to use that specific model. As a result, low-privilege users can target models intended for other groups or administrators.
Root Cause
The root cause is missing authorization [CWE-862] in the request handlers. Authentication is verified, but the per-resource access control check is absent. The model existence check operates on the unfiltered list, so it cannot substitute for an entitlement check.
Attack Vector
The attack vector is network-based and requires valid low-privilege credentials. An attacker with any authenticated, non-pending account submits a request to one of the four endpoints, supplying the name of a restricted model. The proxy forwards the request to Ollama and returns generations, embeddings, or model metadata to the caller.
No verified public exploit code is available. Refer to the GitHub Security Advisory GHSA-rcvp-6fgw-c7fh for additional technical context.
Detection Methods for CVE-2026-44563
Indicators of Compromise
- Authenticated requests to /api/generate, /api/embed, /api/embeddings, or /api/show referencing model identifiers that the calling user has no AccessGrants entry for.
- Spikes in Ollama backend invocations from non-administrative user sessions targeting privileged or internal-only models.
- Successful HTTP 200 responses from /api/show for models that should be hidden from the requesting user's UI.
Detection Strategies
- Correlate Open WebUI access logs with AccessGrants configuration to flag any model invocation that lacks a matching grant for the requesting user.
- Deploy reverse-proxy or web application firewall rules that inspect the model field in JSON request bodies to the four affected endpoints.
- Hunt for lateral enumeration patterns where a single account queries /api/show across a wide range of model names in short succession.
Monitoring Recommendations
- Forward Open WebUI application logs and Ollama backend logs to a centralized SIEM for retroactive analysis.
- Alert on any user account that invokes a model it has never used before, especially immediately after authentication.
- Track the ratio of authorized to unauthorized model references per user as a behavioral baseline.
How to Mitigate CVE-2026-44563
Immediate Actions Required
- Upgrade Open WebUI to version 0.9.0 or later, which adds the missing AccessGrants.has_access() checks on the affected endpoints.
- Audit existing AccessGrants configurations to confirm that sensitive models are only granted to intended users and groups.
- Rotate or review API tokens issued to low-privilege accounts, since any authenticated session could have abused the flaw.
Patch Information
The vulnerability is fixed in Open WebUI 0.9.0. The patch adds per-model authorization checks to /api/generate, /api/embed, /api/embeddings, and /api/show so requests are rejected when the caller lacks an AccessGrants entry for the target model. See the GitHub Security Advisory GHSA-rcvp-6fgw-c7fh for upgrade guidance.
Workarounds
- Restrict network access to the Open WebUI instance using firewall rules or a reverse proxy, limiting it to trusted users until the upgrade is complete.
- Temporarily disable the Ollama backend integration or remove sensitive models from the host if upgrading is not immediately possible.
- Block direct client access to /api/generate, /api/embed, /api/embeddings, and /api/show at an upstream proxy and force traffic through controlled application paths.
# Example: block the affected endpoints at an Nginx reverse proxy
location ~ ^/api/(generate|embed|embeddings|show)$ {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
