CVE-2026-45667 Overview
CVE-2026-45667 is a missing authorization vulnerability [CWE-862] in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. Versions prior to 0.8.0 expose the GET /api/v1/memories/ef endpoint without authentication. The endpoint invokes request.app.state.EMBEDDING_FUNCTION(...), allowing any unauthenticated caller to trigger embedding generation. When a paid embedding provider is configured, attackers can force direct cost exposure against the operator. Open WebUI version 0.8.0 resolves the issue.
Critical Impact
Unauthenticated network attackers can repeatedly invoke embedding generation, causing financial loss to operators using paid embedding providers and consuming backend resources.
Affected Products
- Open WebUI versions prior to 0.8.0
- Self-hosted Open WebUI deployments exposed to untrusted networks
- Open WebUI instances configured with paid embedding providers (e.g., commercial APIs)
Discovery Timeline
- 2026-05-15 - CVE-2026-45667 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45667
Vulnerability Analysis
The vulnerability resides in Open WebUI's memories API. The route GET /api/v1/memories/ef is registered without an authentication dependency. Any HTTP client reachable to the server can request the endpoint and trigger request.app.state.EMBEDDING_FUNCTION(...). The embedding function performs vector generation against the configured backend, which may be a paid third-party provider such as a commercial large language model (LLM) API.
Because the endpoint executes server-side work on each request, the missing authorization check converts a routine internal helper into an unauthenticated trigger for billable operations. Attackers do not need credentials, user interaction, or knowledge of internal state.
Root Cause
The root cause is missing authorization [CWE-862] on the /api/v1/memories/ef route. The handler omits the authentication and authorization dependency applied to sibling endpoints in the memories router. As a result, the route inherits no identity checks before dispatching to EMBEDDING_FUNCTION.
Attack Vector
Exploitation requires only network reachability to the Open WebUI HTTP interface. An attacker issues repeated unauthenticated GET requests to /api/v1/memories/ef. Each request causes the server to invoke the embedding function, generating provider charges and consuming CPU, memory, and outbound API quota. The attack is scriptable and trivially parallelizable, producing sustained cost amplification against the operator.
No verified public exploit code is available. The vulnerability mechanism is described in the GitHub Security Advisory GHSA-m69w-p7m4-585j.
Detection Methods for CVE-2026-45667
Indicators of Compromise
- Unauthenticated GET requests to /api/v1/memories/ef in Open WebUI access logs
- High-volume or repetitive requests to the memories endpoint from a single source IP or distributed sources
- Unexpected spikes in embedding provider API usage or billing dashboards
Detection Strategies
- Search HTTP access logs for the path /api/v1/memories/ef correlated with missing or empty Authorization headers
- Alert on anomalous rates of embedding API calls from the Open WebUI service account toward paid providers
- Correlate provider billing telemetry with Open WebUI request logs to identify cost drift
Monitoring Recommendations
- Enable structured access logging on the Open WebUI reverse proxy and forward logs to a centralized analytics platform
- Configure budget alerts and rate limits at the embedding provider for the API key used by Open WebUI
- Monitor outbound network connections from the Open WebUI host for unexpected request volume to embedding provider endpoints
How to Mitigate CVE-2026-45667
Immediate Actions Required
- Upgrade Open WebUI to version 0.8.0 or later, where the endpoint enforces authentication
- Restrict network exposure of the Open WebUI HTTP interface to trusted users via VPN, reverse proxy authentication, or IP allowlisting
- Rotate the embedding provider API key if abnormal usage is observed and apply provider-side spending caps
Patch Information
The vulnerability is fixed in Open WebUI 0.8.0. Operators should review the GitHub Security Advisory GHSA-m69w-p7m4-585j for upgrade instructions and verify the fix is present in their deployment.
Workarounds
- Place Open WebUI behind a reverse proxy that requires authentication for all /api/v1/memories/* paths
- Block external access to /api/v1/memories/ef at the proxy or web application firewall (WAF) layer until the upgrade is applied
- Temporarily configure a local or free embedding backend to eliminate paid-provider cost exposure
# Example nginx block to deny external access to the vulnerable endpoint
location = /api/v1/memories/ef {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
