PatchSiren cyber security CVE debrief
CVE-2026-44571 open-webui CVE debrief
Open WebUI versions prior to 0.8.6 contain an authorization bypass vulnerability in the message update endpoint for standard channels. The POST /api/v1/channels/{channel_id}/messages/{message_id}/update endpoint incorrectly permits access with read-only permissions when access_control is set to None. The has_access(..., type=read) check evaluates to True, allowing non-message owners to modify other users' messages. This represents a broken access control issue (CWE-862) where write operations are improperly gated behind read permission checks. The vulnerability affects standard channels (where channel.type is neither group nor dm) and requires the attacker to have legitimate read access to the channel. The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N indicates network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact. The vendor released version 0.8.6 to remediate this issue. Organizations should upgrade to 0.8.6 or later and review channel access_control configurations.
- Vendor
- open-webui
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Organizations running self-hosted Open WebUI instances with multi-user standard channels, particularly those with access_control set to None. Security teams monitoring for broken access control vulnerabilities in AI/ML platform APIs. System administrators responsible for Open WebUI deployment and patch management.
Technical summary
The vulnerability exists in the message update endpoint for standard channels in Open WebUI. When access_control is None, the authorization logic incorrectly uses has_access(..., type=read) to gate write operations. This allows any user with read access to a standard channel to modify messages belonging to other users. The endpoint POST /api/v1/channels/{channel_id}/messages/{message_id}/update should require write or ownership permissions but instead accepts read permissions. Standard channels exclude group and direct message types. The fix in 0.8.6 corrects the permission check to properly validate message ownership or write access before allowing updates.
Defensive priority
medium
Recommended defensive actions
- Upgrade Open WebUI to version 0.8.6 or later to remediate the authorization bypass vulnerability
- Review and audit standard channel configurations where access_control is set to None
- Implement monitoring for anomalous message update activities in standard channels
- Verify that message ownership checks are properly enforced in custom deployments or forks
- Review application logs for unauthorized message modifications prior to patching
Evidence notes
CVE published 2026-05-15; modified 2026-05-18. Vendor advisory confirms fix in 0.8.6. NVD status: Analyzed. CVSS 3.1 score 6.5 (MEDIUM). CPE: cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:* versionEndExcluding 0.8.6.
Official resources
-
CVE-2026-44571 CVE record
CVE.org
-
CVE-2026-44571 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
2026-05-15