PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44569 open-webui CVE debrief

Open WebUI versions prior to 0.6.19 contain an insecure direct object reference (IDOR) vulnerability in the channels message management system. The flaw exists in the message update and delete API endpoints, which validate only channel-level access permissions without verifying message ownership. While the frontend correctly restricts edit and delete functionality to message owners and administrators, the backend APIs lack equivalent ownership checks. This allows authenticated attackers with read access to a channel to modify or delete messages belonging to other users by directly invoking the affected API endpoints. The vulnerability has been assigned a CVSS 3.1 score of 7.1 (High) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L, indicating network attack vector, low attack complexity, low privileges required, no user interaction, and high impact to integrity with low availability impact. The weakness is categorized as CWE-862: Missing Authorization. The issue was published on May 15, 2026 and last modified on May 19, 2026. A fix is available in version 0.6.19.

Vendor
open-webui
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-15
Original CVE updated
2026-05-19
Advisory published
2026-05-15
Advisory updated
2026-05-19

Who should care

Organizations running self-hosted Open WebUI instances with multi-user channel functionality, particularly those relying on message integrity for collaborative AI workflows or audit compliance. Security teams should prioritize patching due to the high integrity impact and low exploitation complexity.

Technical summary

The vulnerability stems from a security control bypass where frontend ownership validation is not replicated in backend API endpoints. The affected endpoints perform authorization checks at the channel level (verifying the user can access the channel) but fail to validate that the user owns the specific message being modified or deleted. This architectural gap between client-side and server-side security controls creates an IDOR condition exploitable by any authenticated user with channel read access. The attack requires no user interaction and can be executed through direct API requests, bypassing the intended frontend restrictions.

Defensive priority

high

Recommended defensive actions

  • Upgrade Open WebUI to version 0.6.19 or later to remediate this vulnerability
  • Review channel message access logs for unauthorized modifications or deletions by non-owner users
  • Implement additional authorization checks at the API gateway or WAF layer to validate message ownership for update and delete operations
  • Audit custom integrations or scripts that interact with Open WebUI channel message APIs to ensure they do not rely solely on client-side access controls
  • Monitor for anomalous API activity targeting message update and delete endpoints, particularly requests that modify messages outside the requesting user's typical ownership patterns

Evidence notes

The vulnerability description is derived from the official CVE record and NVD entry. The CVSS vector and affected version range are sourced from NVD CPE criteria. The fix version 0.6.19 is confirmed through the vendor security advisory.

Official resources

The vulnerability was disclosed through GitHub Security Advisories and subsequently published in the National Vulnerability Database. The vendor has acknowledged the issue and released a patched version.