PatchSiren cyber security CVE debrief
CVE-2026-44555 open-webui CVE debrief
CVE-2026-44555 is a high-severity access control flaw in Open WebUI’s model composition feature. Before 0.9.0, a user could create or import a composed model that pointed to a restricted base model, then invoke it even though they were not authorized for the underlying base model. The server would forward the request to that restricted model using the admin-configured API key, creating unauthorized access to protected inference resources.
- Vendor
- open-webui
- Product
- Unknown
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-19
Who should care
Administrators and operators of Open WebUI deployments, especially environments where some models are restricted while others are user-creatable or importable. Security teams should pay particular attention if non-admin users can create models or import model definitions.
Technical summary
The issue centers on chained model authorization. According to the advisory, Open WebUI verifies access to the composed model when a user submits a query, but it does not re-check authorization for the referenced base_model_id. The model creation and import endpoints also accept arbitrary base_model_id values without validating whether the caller can access that base model. As a result, a user with model-creation permission can create a composed model that targets a restricted base model and then use it to make the server dispatch inference to that restricted backend with an admin-configured API key. The vulnerability is fixed in Open WebUI 0.9.0.
Defensive priority
High. This is a network-reachable authorization bypass that can expose restricted model access and server-side credentials used for inference dispatch.
Recommended defensive actions
- Upgrade Open WebUI to version 0.9.0 or later.
- Review whether non-admin users can create or import models; restrict those permissions if not strictly required.
- Audit existing composed models for references to restricted or unintended base_model_id values.
- Verify that authorization checks cover both the composed model and any chained base model before inference is dispatched.
- Monitor logs for unusual model-creation, import, or invocation activity tied to restricted models.
- Rotate or review any API keys used by Open WebUI for backend model access if unauthorized use is suspected.
Evidence notes
The public GitHub Security Advisory states that prior to 0.9.0, Open WebUI allowed composed models to reference arbitrary base_model_id values, did not re-verify access to the chained base model during query handling, and fixed the problem in 0.9.0. The NVD entry lists the vulnerability as undergoing analysis and provides CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L with CWE-862 (Missing Authorization). The supplied CVE publication timestamp is 2026-05-15T20:16:46.967Z and the last modified timestamp is 2026-05-18T17:36:58.370Z.
Official resources
-
CVE-2026-44555 CVE record
CVE.org
-
CVE-2026-44555 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
Publicly disclosed on 2026-05-15 via the GitHub Security Advisory and reflected in the CVE/NVD records; the CVE was last modified on 2026-05-18.