CVE-2026-44555: Open WebUI access control bypass

Q: Is CVE-2026-44555 actively exploited?

No confirmed active exploitation of CVE-2026-44555 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-44555?

1. PATCH: Upgrade to open-webui 0.9.0 — this release adds base model access validation at both model creation and at the inference dispatch layer in main.py. 2. WORKAROUND (if immediate patching is not possible): Revoke the `workspace.models` permission from all non-admin user roles under Settings → Workspace → Permissions; this eliminates the creation vector. 3. AUDIT: Query your database for user-created models where base_model_id references an admin-restricted model — these are active bypass chains that survive patching and must be deleted manually. 4. ROTATE API keys for any restricted AI backend if unauthorized usage is suspected; review backend provider billing dashboards for unexpected spikes. 5. MONITOR: Add request-level logging at the model dispatch layer (main.py:1696-1711) to detect base_model_id resolution events involving restricted models.

Q: What systems are affected by CVE-2026-44555?

This vulnerability affects the following AI/ML architecture patterns: ML UI platforms, Model serving gateways, Multi-tenant LLM deployments, AI model access control layers.

Q: What is the CVSS score for CVE-2026-44555?

CVE-2026-44555 has a CVSS v3.1 base score of 7.6 (HIGH). The EPSS exploitation probability is 0.25%.

CISO Take

Open WebUI's model chaining feature allows any authenticated user to query admin-restricted AI models — GPT-4, Claude Opus, or any internal premium endpoint — by wrapping them in a self-owned model, with zero elevated permissions required. Since `workspace.models` creation rights are granted to all users by default, every account in a multi-tenant Open WebUI deployment (≤0.8.12) is a potential attacker; there is no special group membership or prior compromise needed. This attack is silent from the admin's perspective: access grant policies appear correctly configured while enforcement is bypassed entirely at the inference dispatch layer, and the admin's API key absorbs all costs. No CISA KEV entry exists and no public exploit is confirmed, but the technique is a single API call — trivial for any user who reads the advisory. Upgrade to open-webui 0.9.0 immediately; if patching is blocked, revoke `workspace.models` permission from non-admin roles as an interim workaround.

Sources: GitHub Advisory ATLAS NVD

What is the risk?

High risk for any multi-tenant Open WebUI deployment that uses tiered model access to gate premium or restricted AI backends. The combination of low required privilege, trivial exploitation, default-open model creation permissions, and direct financial impact makes this particularly dangerous for organizations using Open WebUI as a cost-controlled API gateway. No authentication weakness or prior foothold is required beyond a standard user account. The absence of access logging at the base model dispatch layer means bypass can persist undetected indefinitely, with costs attributed to legitimate API usage.

How does the attack unfold?

Discovery

Attacker identifies a restricted model ID (e.g., 'gpt-4-turbo-restricted') by querying the /api/v1/models endpoint or observing the model selector UI.

AML.T0007

Wrapper Model Creation

Attacker calls POST /api/v1/models/create with base_model_id referencing the restricted model; the endpoint does not validate the caller's access to the base model.

AML.T0049

Access Control Bypass

Attacker sends chat completions to the wrapper model; main.py resolves base_model_id to the restricted model without invoking check_model_access, dispatching the request with the admin's API key.

AML.T0040

Impact

Attacker receives unrestricted responses from the premium model, incurring financial costs on the admin's API key while access grant policies appear intact in the admin dashboard.

AML.T0034

Discovery

Attacker identifies a restricted model ID (e.g., 'gpt-4-turbo-restricted') by querying the /api/v1/models endpoint or observing the model selector UI.

AML.T0007

Wrapper Model Creation

Attacker calls POST /api/v1/models/create with base_model_id referencing the restricted model; the endpoint does not validate the caller's access to the base model.

AML.T0049

Access Control Bypass

Attacker sends chat completions to the wrapper model; main.py resolves base_model_id to the restricted model without invoking check_model_access, dispatching the request with the admin's API key.

AML.T0040

Impact

Attacker receives unrestricted responses from the premium model, incurring financial costs on the admin's API key while access grant policies appear intact in the admin dashboard.

AML.T0034

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Open WebUI	pip	<= 0.8.12	`0.9.0`
142.4K Pushed 4d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1

7.6 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 16% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I Low

A Low

What should I do?

5 steps

PATCH

Upgrade to open-webui 0.9.0 — this release adds base model access validation at both model creation and at the inference dispatch layer in main.py.
WORKAROUND (if immediate patching is not possible): Revoke the workspace.models permission from all non-admin user roles under Settings → Workspace → Permissions; this eliminates the creation vector.
AUDIT

Query your database for user-created models where base_model_id references an admin-restricted model — these are active bypass chains that survive patching and must be deleted manually.
ROTATE API keys for any restricted AI backend if unauthorized usage is suspected; review backend provider billing dashboards for unexpected spikes.
MONITOR

Add request-level logging at the model dispatch layer (main.py:1696-1711) to detect base_model_id resolution events involving restricted models.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass API Model Inference AML.T0007 - Discover AI Artifacts AML.T0034 - Cost Harvesting AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.2 - AI System Access Control

NIST AI RMF

GOVERN 1.7 - Processes for AI Risk Management

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-44555?

Open WebUI's model chaining feature allows any authenticated user to query admin-restricted AI models — GPT-4, Claude Opus, or any internal premium endpoint — by wrapping them in a self-owned model, with zero elevated permissions required. Since `workspace.models` creation rights are granted to all users by default, every account in a multi-tenant Open WebUI deployment (≤0.8.12) is a potential attacker; there is no special group membership or prior compromise needed. This attack is silent from the admin's perspective: access grant policies appear correctly configured while enforcement is bypassed entirely at the inference dispatch layer, and the admin's API key absorbs all costs. No CISA KEV entry exists and no public exploit is confirmed, but the technique is a single API call — trivial for any user who reads the advisory. Upgrade to open-webui 0.9.0 immediately; if patching is blocked, revoke `workspace.models` permission from non-admin roles as an interim workaround.

Is CVE-2026-44555 actively exploited?

No confirmed active exploitation of CVE-2026-44555 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44555?

1. PATCH: Upgrade to open-webui 0.9.0 — this release adds base model access validation at both model creation and at the inference dispatch layer in main.py. 2. WORKAROUND (if immediate patching is not possible): Revoke the `workspace.models` permission from all non-admin user roles under Settings → Workspace → Permissions; this eliminates the creation vector. 3. AUDIT: Query your database for user-created models where base_model_id references an admin-restricted model — these are active bypass chains that survive patching and must be deleted manually. 4. ROTATE API keys for any restricted AI backend if unauthorized usage is suspected; review backend provider billing dashboards for unexpected spikes. 5. MONITOR: Add request-level logging at the model dispatch layer (main.py:1696-1711) to detect base_model_id resolution events involving restricted models.

What systems are affected by CVE-2026-44555?

This vulnerability affects the following AI/ML architecture patterns: ML UI platforms, Model serving gateways, Multi-tenant LLM deployments, AI model access control layers.

What is the CVSS score for CVE-2026-44555?

CVE-2026-44555 has a CVSS v3.1 base score of 7.6 (HIGH). The EPSS exploitation probability is 0.25%.

What is the AI security impact?

Affected AI Architectures

ML UI platformsModel serving gatewaysMulti-tenant LLM deploymentsAI model access control layers

MITRE ATLAS Techniques

AML.T0007 Discover AI Artifacts

AML.T0034 Cost Harvesting

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2

NIST AI RMF: GOVERN 1.7

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

# Base Model Routing Bypasses Access Control via Model Chaining ## Affected Component Model chaining via `base_model_id`: - `backend/open_webui/routers/models.py` (lines 170-214, `create_new_model`) - `backend/open_webui/routers/models.py` (lines 254-308, `import_models`) - `backend/open_webui/main.py` (lines 1696-1711, base model resolution in chat completion) - `backend/open_webui/routers/openai.py` (lines 1032-1037, base model payload rewrite) - `backend/open_webui/routers/ollama.py` (lines 1086-1090, base model payload rewrite) - `backend/open_webui/utils/models.py` (line 380, `check_model_access` — checks user-facing model only) ## Affected Versions Current main branch (commit `6fdd19bf1`) and likely all versions with the model chaining (`base_model_id`) feature. ## Description Open WebUI supports model composition via `base_model_id`: a user-defined model (e.g., "Cheap Assistant") can reference an existing base model (e.g., "gpt-4-turbo-restricted") that provides the actual inference capability. When a user queries the composed model, the access control pipeline verifies the user has access to the composed model but never re-verifies access to the chained base model. Additionally, the model creation and import endpoints accept arbitrary `base_model_id` values without checking that the caller has access to that base model. Combined, this allows any user with the default model creation permission to create a model that chains to a restricted base model — and then invoke it, causing the server to dispatch the request to the restricted base model using the admin-configured API key. ```python # utils/models.py:380 — access check runs against the user-facing model only def check_model_access(user, model): if user.role == 'user': ...check access grants on `model`... # main.py:1696-1711 — base model resolved without access check base_model = request.app.state.MODELS.get(model.info.base_model_id) if base_model: # payload["model"] is rewritten to base_model.id # but no check_model_access(user, base_model) is performed # openai.py:1032-1037 / ollama.py:1086-1090 — the rewritten payload is dispatched payload['model'] = base_model_id ``` ## Attack Scenario 1. Admin provisions a premium/restricted model `gpt-4-turbo-restricted` and configures access grants so only the "ML Engineers" group can use it. 2. Attacker (a regular user not in that group) calls: ``` POST /api/v1/models/create { "id": "cheap-assistant", "name": "Cheap Assistant", "base_model_id": "gpt-4-turbo-restricted", "params": {}, "meta": {} } ``` The creation endpoint does not validate the attacker's access to `gpt-4-turbo-restricted`. 3. Attacker now owns `cheap-assistant`. `check_model_access(attacker, cheap-assistant)` passes trivially because they are the owner. 4. Attacker sends: ``` POST /api/chat/completions {"model": "cheap-assistant", "messages": [...]} ``` 5. At `main.py:1696`, the pipeline resolves `cheap-assistant.base_model_id` to `gpt-4-turbo-restricted`, rewrites `payload["model"]` to the base model ID, and dispatches the upstream request with the admin-configured API key for the backend. 6. The attacker receives responses from the restricted model, bypassing the access grant policy. The same bypass is available via the import endpoint, which additionally allows overwriting existing models (see related finding on model import ownership). ## Impact - Regular users can query restricted models by chaining through a self-owned wrapper model - Access control on `gpt-4-turbo-restricted` (or equivalent paid/tiered/internal models) becomes silently ineffective - Direct cost impact on pay-per-token backends (OpenAI, Anthropic, Azure) — the admin's API key is used for requests the admin intended to forbid - Creates a false sense of security — the admin sees access restrictions work through the standard model selector but not through user-created chains ## Preconditions - Attacker must have model creation permission (default `workspace.models` permission, granted to all users by default) - A restricted base model must exist on the instance (the target of the chain)

Exploitation Scenario

An attacker at a company using Open WebUI as a cost-controlled gateway to GPT-4 notices 'gpt-4-turbo-restricted' in the models list or via the /api/v1/models endpoint. Using their standard employee account, they POST to /api/v1/models/create with base_model_id set to 'gpt-4-turbo-restricted' and create a personal model called 'my-assistant'. They own the wrapper model, so check_model_access passes trivially. Every subsequent chat request to 'my-assistant' is silently re-routed to GPT-4 at main.py:1696, billed to the admin's OpenAI API key. The attacker can run batch inference jobs, exfiltrate outputs, or resell access to the wrapper endpoint — while the admin's access grant dashboard shows the restriction correctly configured.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.