AI Threat Alert

CVE-2026-44556: open-webui: auth bypass allows unrestricted model access

GHSA-hp5m-24vp-vq2q HIGH
Published May 8, 2026
CISO Take

Any authenticated user on open-webui ≤0.8.12 can bypass administrator-enforced model-tier restrictions by posting directly to `/api/openai/responses`, which proxies requests to upstream LLM providers without checking model ownership, group membership, or AccessGrants — the full authorization stack applied on every other endpoint is silently skipped. The practical blast radius hits shared enterprise deployments hardest: a single low-privileged user can rack up charges against expensive restricted models (GPT-4o, o1-pro) or repeatedly query proprietary fine-tuned models for capability distillation, with no audit trail distinguishing authorized from unauthorized use. With no public exploit code and no KEV listing this is not actively weaponized, but the attack requires only a valid session and basic HTTP knowledge — making it executable by any frustrated user or low-sophistication insider. Upgrade to open-webui 0.9.0 immediately; if patching is blocked, add a reverse-proxy rule blocking `/api/openai/responses` for non-admin sessions and audit upstream API cost logs for anomalies.

Sources: GitHub Advisory NVD ATLAS OWASP LLM Top 10

What is the risk?

High risk for any multi-tenant or shared open-webui deployment acting as an LLM gateway. CVSS 7.1 reflects low attack complexity, network exposure, and low-privilege requirement — no special tooling or AI knowledge needed. The package carries 52 prior CVEs suggesting a chronic security posture concern. Financial impact is the primary acute risk: unrestricted access to frontier models can drain API budgets rapidly. Secondary risk is IP exposure for organizations proxying proprietary fine-tuned models. Single-user deployments are unaffected since access control enforcement only matters in shared contexts.

How does the attack unfold?

Initial Access
Attacker authenticates to the open-webui instance using any valid user account — no elevated role or group membership required.
AML.T0012
Endpoint Discovery
Attacker identifies the `/api/openai/responses` endpoint via API documentation, source code review, or HTTP traffic inspection, confirming it accepts arbitrary model IDs.
AML.T0049
Authorization Bypass
Attacker sends POST requests to `/api/openai/responses` specifying a restricted high-cost or proprietary model ID; the server validates only session authenticity and forwards the request to the upstream provider without AccessGrants enforcement.
AML.T0040
Impact
Attacker exhausts the organization's upstream API budget by scripting resource-intensive queries to expensive restricted models (DoS/cost harvesting), or systematically queries proprietary fine-tuned models to distill their capabilities (model theft).
AML.T0034

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip <= 0.8.12 0.9.0
142.4K Pushed 5d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
7.1 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 22% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C Low
I None
A High

What should I do?

1 step

  1. 1) Upgrade to open-webui 0.9.0 which patches the missing authorization check on /api/openai/responses. 2) If immediate upgrade is not feasible, restrict /api/openai/responses at the reverse proxy or WAF layer to admin-role sessions only, or block the endpoint entirely until patched. 3) Audit server access logs for unexpected calls to /api/openai/responses from non-admin users, especially with high-cost model IDs. 4) Review upstream provider (OpenAI, Anthropic) API usage dashboards for anomalous cost spikes that may indicate prior exploitation. 5) Rotate upstream API keys if cost anomalies are detected. 6) Implement API spend alerts at the upstream provider level as a compensating control.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass DoS Data Extraction API Inference Model AML.T0012 AML.T0024.002 AML.T0034 AML.T0034.001 AML.T0040 AML.T0048.000 AML.T0048.004 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.2.3 - Access control for AI system resources A.9.4 - Technical access controls for AI systems
NIST AI RMF
GOVERN 1.1 - AI risk is identified and prioritized MANAGE 2.2 - Risk treatments are applied to high-priority AI risks
OWASP LLM Top 10
LLM04 - Model Denial of Service LLM10 - Model Theft

Frequently Asked Questions

What is CVE-2026-44556?

Any authenticated user on open-webui ≤0.8.12 can bypass administrator-enforced model-tier restrictions by posting directly to `/api/openai/responses`, which proxies requests to upstream LLM providers without checking model ownership, group membership, or AccessGrants — the full authorization stack applied on every other endpoint is silently skipped. The practical blast radius hits shared enterprise deployments hardest: a single low-privileged user can rack up charges against expensive restricted models (GPT-4o, o1-pro) or repeatedly query proprietary fine-tuned models for capability distillation, with no audit trail distinguishing authorized from unauthorized use. With no public exploit code and no KEV listing this is not actively weaponized, but the attack requires only a valid session and basic HTTP knowledge — making it executable by any frustrated user or low-sophistication insider. Upgrade to open-webui 0.9.0 immediately; if patching is blocked, add a reverse-proxy rule blocking `/api/openai/responses` for non-admin sessions and audit upstream API cost logs for anomalies.

Is CVE-2026-44556 actively exploited?

No confirmed active exploitation of CVE-2026-44556 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44556?

1) Upgrade to open-webui 0.9.0 which patches the missing authorization check on `/api/openai/responses`. 2) If immediate upgrade is not feasible, restrict `/api/openai/responses` at the reverse proxy or WAF layer to admin-role sessions only, or block the endpoint entirely until patched. 3) Audit server access logs for unexpected calls to `/api/openai/responses` from non-admin users, especially with high-cost model IDs. 4) Review upstream provider (OpenAI, Anthropic) API usage dashboards for anomalous cost spikes that may indicate prior exploitation. 5) Rotate upstream API keys if cost anomalies are detected. 6) Implement API spend alerts at the upstream provider level as a compensating control.

What systems are affected by CVE-2026-44556?

This vulnerability affects the following AI/ML architecture patterns: LLM gateway and proxy deployments, Multi-tenant AI platforms, Model serving, Enterprise AI portals, Fine-tuned model hosting.

What is the CVSS score for CVE-2026-44556?

CVE-2026-44556 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.31%.

What is the AI security impact?

Affected AI Architectures

LLM gateway and proxy deploymentsMulti-tenant AI platformsModel servingEnterprise AI portalsFine-tuned model hosting

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0024.002 Extract AI Model
AML.T0034 Cost Harvesting
AML.T0034.001 Resource-Intensive Queries
AML.T0040 AI Model Inference API Access
AML.T0048.000 Financial Harm
AML.T0048.004 AI Intellectual Property Theft
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.2.3, A.9.4
NIST AI RMF: GOVERN 1.1, MANAGE 2.2
OWASP LLM Top 10: LLM04, LLM10

What are the technical details?

Original Advisory

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /responses endpoint in the OpenAI router accepts any authenticated user and forwards requests directly to upstream LLM providers without enforcing per-model access control. While the primary chat completion endpoint (generate_chat_completion) checks model ownership, group membership, and AccessGrants before allowing a request, the /responses proxy only validates that the user has a valid session via get_verified_user. This allows any authenticated user to interact with any model configured on the instance by sending a POST request to /api/openai/responses with an arbitrary model ID. This vulnerability is fixed in 0.9.0.

Exploitation Scenario

An attacker with a standard authenticated session on a shared enterprise open-webui instance — perhaps a contractor with limited model access — discovers the `/api/openai/responses` endpoint through API documentation or simple endpoint enumeration. They craft a POST request with their session token specifying `o1-pro` or another restricted expensive model in the payload body. The server, performing only session validity checks, forwards the request to the upstream OpenAI API billed to the organization's key. By scripting thousands of resource-intensive inference requests, the attacker exhausts the organization's API budget or hits rate limits, causing a complete denial of service for all legitimate users. Alternatively, if the instance proxies a proprietary fine-tuned model, the attacker can systematically query it to distill its behavior into a local proxy model, effectively stealing the IP without triggering any access-control alerts.

Weaknesses (CWE)

CWE-284 Improper Access Control Primary CWE-284 Improper Access Control Primary CWE-862 Missing Authorization Primary CWE-862 Missing Authorization Primary

CWE-284 — Improper Access Control: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

  • [Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

References

Timeline

Published
May 8, 2026
Last Modified
May 15, 2026
First Seen
May 8, 2026

Related Vulnerabilities

CRITICAL CVE-2026-44551 9.1

open-webui: LDAP auth bypass — full account takeover

Same package: open-webui
HIGH CVE-2026-45672 8.8

open-webui: code exec gate bypass via API endpoint

Same package: open-webui
HIGH CVE-2026-44552 8.7

open-webui: Redis cache poisoning enables cross-instance tool hijack

Same package: open-webui
HIGH CVE-2025-64495 8.7

Open WebUI: XSS-to-RCE via malicious prompt injection

Same package: open-webui
HIGH CVE-2026-45315 8.7

open-webui: stored XSS → JWT theft and admin takeover

Same package: open-webui
Back to Threat Feed