CVE-2026-44562 open-webui CVE debrief

Who should care

Organizations running self-hosted Open WebUI instances with multiple users or untrusted workspace.models_import permission holders; multi-tenant deployments where model isolation between users or teams is security-critical

Technical summary

The vulnerability exists in the POST /api/v1/models/import endpoint where imported model data is merged directly into existing database records when IDs match. The endpoint fails to verify that the requesting user owns or has legitimate access to modify the target model, and does not invoke the filter_allowed_access_grants function used by other model modification endpoints. This allows any user with the workspace.models_import permission to overwrite arbitrary models, potentially injecting malicious system prompts, altering model configurations, or disrupting service for other users. The attack requires network access and valid authentication with the specific permission, but no user interaction.

Defensive priority

medium

Recommended defensive actions

• Upgrade Open WebUI to version 0.9.0 or later
• Review model access logs for unauthorized modifications between deployment and patch application
• Audit workspace.models_import permission assignments to limit to trusted administrative users
• Implement additional access control monitoring on model mutation endpoints pending upgrade

Evidence notes

CVE published 2026-05-15; NVD analysis completed with CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. Vendor advisory confirms exploit availability and fix in version 0.9.0. CWE-283 (Unverified Ownership) and CWE-862 (Missing Authorization) identified as primary weaknesses.

Official resources