AI Threat Alert

CVE-2026-44563: open-webui: auth bypass exposes restricted LLM models

GHSA-rcvp-6fgw-c7fh MEDIUM
Published May 8, 2026
CISO Take

Four Ollama proxy endpoints in open-webui (≤0.8.12) skip model access control checks entirely, allowing any authenticated user to invoke or inspect models they are not authorized to access. This is a silent control failure — admins who configured model restrictions via the UI believe their access policies are enforced, but four of five proxy endpoints never call the authorization check, making every restriction bypassable with a single direct API call. The /api/show endpoint additionally leaks restricted model system prompts, parameters, and templates, which represents proprietary configuration exfiltration in enterprise deployments. With no public exploit and no KEV listing this remains a medium-urgency issue, but organizations running multi-user open-webui instances with model access control configured should treat this as a priority: upgrade to open-webui 0.9.0 immediately and audit API logs for direct calls to /ollama/api/generate, /api/embed, /api/embeddings, and /api/show from restricted users.

Sources: GitHub Advisory NVD ATLAS

What is the risk?

Medium risk (CVSS 5.4), but understated for organizations relying on model access control as a cost containment or IP protection boundary. Exploitation requires only a valid, non-pending user account — no special tooling, no elevated privileges, no prior compromise. The primary risk amplifier is the false sense of security: the chat interface correctly enforces restrictions, leading admins to believe the policy is working while four API endpoints remain completely open. Model names follow predictable conventions, lowering the reconnaissance bar to near zero. No active exploitation or public proof-of-concept has been observed, keeping this below critical threshold.

How does the attack unfold?

Initial Access
Attacker authenticates to open-webui using any valid non-pending user account, obtaining a bearer token with no special privileges required.
AML.T0012
Target Identification
Attacker identifies restricted model names via predictable naming conventions such as llama3:70b or mistral:latest, requiring no enumeration — names are discoverable through documentation or colleagues.
AML.T0014
Authorization Bypass
Attacker sends direct POST requests to /ollama/api/generate, /api/embed, /api/embeddings, or /api/show with the restricted model name — no access grant check is performed and the request is proxied to Ollama.
AML.T0049
Impact
Attacker successfully invokes restricted models consuming unauthorized GPU and compute resources, and exfiltrates system prompts and proprietary model configurations via the /api/show endpoint.
AML.T0056

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip <= 0.8.12 0.9.0
142.4K Pushed 5d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
5.4 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 15% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C Low
I None
A Low

What should I do?

4 steps

  1. Patch immediately: upgrade open-webui to version 0.9.0, which adds access control checks to all four affected endpoints.

  2. Temporary workaround: restrict network-level access to /ollama/api/generate, /ollama/api/embed, /ollama/api/embeddings, and /ollama/api/show for non-privileged user groups at the reverse proxy or WAF layer, or block these paths entirely until patched.

  3. Detection: audit API access logs for authenticated users calling these endpoints with model names outside their authorized scope — cross-reference POST body model names against user access grants in the open-webui database.

  4. Post-patch review: assess whether unauthorized access occurred during the exposure window by reviewing inference logs on the Ollama backend for model usage anomalies.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Inference API AML.T0012 AML.T0034.000 AML.T0040 AML.T0049 AML.T0056

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.1.3 - AI system access control
NIST AI RMF
GOVERN 6.1 - Organizational risk policies and practices
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-44563?

Four Ollama proxy endpoints in open-webui (≤0.8.12) skip model access control checks entirely, allowing any authenticated user to invoke or inspect models they are not authorized to access. This is a silent control failure — admins who configured model restrictions via the UI believe their access policies are enforced, but four of five proxy endpoints never call the authorization check, making every restriction bypassable with a single direct API call. The /api/show endpoint additionally leaks restricted model system prompts, parameters, and templates, which represents proprietary configuration exfiltration in enterprise deployments. With no public exploit and no KEV listing this remains a medium-urgency issue, but organizations running multi-user open-webui instances with model access control configured should treat this as a priority: upgrade to open-webui 0.9.0 immediately and audit API logs for direct calls to /ollama/api/generate, /api/embed, /api/embeddings, and /api/show from restricted users.

Is CVE-2026-44563 actively exploited?

No confirmed active exploitation of CVE-2026-44563 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44563?

1. Patch immediately: upgrade open-webui to version 0.9.0, which adds access control checks to all four affected endpoints. 2. Temporary workaround: restrict network-level access to /ollama/api/generate, /ollama/api/embed, /ollama/api/embeddings, and /ollama/api/show for non-privileged user groups at the reverse proxy or WAF layer, or block these paths entirely until patched. 3. Detection: audit API access logs for authenticated users calling these endpoints with model names outside their authorized scope — cross-reference POST body model names against user access grants in the open-webui database. 4. Post-patch review: assess whether unauthorized access occurred during the exposure window by reviewing inference logs on the Ollama backend for model usage anomalies.

What systems are affected by CVE-2026-44563?

This vulnerability affects the following AI/ML architecture patterns: Multi-user LLM inference platforms, Model serving with access control tiers, Enterprise AI platforms with RBAC.

What is the CVSS score for CVE-2026-44563?

CVE-2026-44563 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.24%.

What is the AI security impact?

Affected AI Architectures

Multi-user LLM inference platformsModel serving with access control tiersEnterprise AI platforms with RBAC

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0034.000 Excessive Queries
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0056 Extract LLM System Prompt

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.1.3
NIST AI RMF: GOVERN 6.1
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /api/generate, /api/embed, /api/embeddings, and /api/show endpoints accept any model name from the user and forward the request to the Ollama backend without checking whether the user is authorized to access that model. These endpoints only require get_verified_user (any authenticated non-pending user) and validate that the model exists in the full unfiltered model list, but never check AccessGrants.has_access(). This vulnerability is fixed in 0.9.0.

Exploitation Scenario

An ML platform team at an enterprise restricts the expensive llama3:70b model to the AI research group to control GPU costs, while general staff are limited to llama3:8b. A developer in an adjacent team learns the restricted model name from documentation or a colleague. Using their standard employee credentials, they craft a direct POST to /ollama/api/generate with the restricted model name, bypassing all UI-level controls. They additionally call /ollama/api/show to extract the research team's proprietary system prompt configuration for competitive or cost-saving purposes. The access control system records nothing anomalous because the authorization check was never invoked — the entire operation appears as normal authenticated API usage with no alert generated.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

References

Timeline

Published
May 8, 2026
Last Modified
May 15, 2026
First Seen
May 8, 2026

Related Vulnerabilities

CRITICAL CVE-2026-44551 9.1

open-webui: LDAP auth bypass — full account takeover

Same package: open-webui
HIGH CVE-2026-45672 8.8

open-webui: code exec gate bypass via API endpoint

Same package: open-webui
HIGH CVE-2026-44552 8.7

open-webui: Redis cache poisoning enables cross-instance tool hijack

Same package: open-webui
HIGH CVE-2025-64495 8.7

Open WebUI: XSS-to-RCE via malicious prompt injection

Same package: open-webui
HIGH CVE-2026-45315 8.7

open-webui: stored XSS → JWT theft and admin takeover

Same package: open-webui
Back to Threat Feed