CVE-2026-44567

HIGH

Open WebUI: Open WebUI Improper Authorization Control

Title source: cna

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is set to pending. In this configuration, an administrator is required to go into the Admin management panel following a new user registration and reconfigure the user to have a role of either user or admin before that user is able to access the web application. This vulnerability is fixed in 0.1.124.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/open-webui/open-webui/security/advisories/GHSA-4vg5-rp28-gvjf

Scores

CVSS v3 7.3

EPSS 0.0010

EPSS Percentile 26.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-602 CWE-863

Status published

Products (3)

open-webui/open-webui < 0.1.124

openwebui/open_webui < 0.1.124

pypi/open-webui 0 - 0.1.124PyPI

Published May 15, 2026

Tracked Since May 16, 2026