SB2026050527 - Multiple vulnerabilities in Open WebUI



SB2026050527 - Multiple vulnerabilities in Open WebUI

Published: May 5, 2026 Updated: May 5, 2026

Security Bulletin ID SB2026050527
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 16
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 6% Medium 13% Low 81%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 16 vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2026-44721)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in the browser of another user.

The vulnerability exists due to cross-site scripting in model description rendering in the chat UI when processing a crafted model description containing a javascript: link. A remote user can create a malicious model description to execute arbitrary JavaScript in the browser of another user.

User interaction is required, and the victim must view the malicious model and click the rendered hyperlink.


2) Improper access control (CVE-ID: CVE-2026-44552)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to poison shared cache data across instances and disclose sensitive information.

The vulnerability exists due to improper access control in the tool server and terminal server Redis cache in backend/open_webui/utils/tools.py when multiple instances share a Redis backend. A remote privileged user can write attacker-controlled tool server or terminal server entries to unprefixed Redis keys to poison shared cache data across instances and disclose sensitive information.

Exploitation requires multiple Open WebUI instances to share a single Redis backend.


3) Improper access control (CVE-ID: CVE-2026-44550)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to create folders in other users' accounts.

The vulnerability exists due to improper access control in the folder creation endpoint and FolderForm model when handling crafted folder creation requests. A remote user can supply a crafted user_id value in the POST body to create folders in other users' accounts.

Exploitation requires an authenticated account with folders permission and knowledge or guessing of the victim's user UUID.


4) Improper access control (CVE-ID: CVE-2026-44555)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass access control and access restricted models.

The vulnerability exists due to improper access control in model chaining via base_model_id when handling model creation, import, and chat completion requests. A remote user can create or import a model that references a restricted base model to bypass access control and access restricted models.

Exploitation requires model creation permission and the presence of a restricted base model on the instance.


5) Improper Authorization (CVE-ID: CVE-2026-44553)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to read and modify other users' notes.

The vulnerability exists due to improper access control in the Socket.IO session pool and Yjs collaborative document handlers when processing Socket.IO events after an administrative role change or user deletion. A remote user can keep a previously established Socket.IO session alive and send crafted ydoc document join and update events to read and modify other users' notes.

HTTP endpoints are not affected. Exploitation requires an active Socket.IO session that was established while the user still had the admin role, and the stale session can persist through heartbeat events.


6) Improper access control (CVE-ID: CVE-2026-44558)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information and modify access permissions.

The vulnerability exists due to improper access control in the channel creation and update endpoints when handling access_grants during channel creation or update requests. A remote user can submit crafted access grants to disclose sensitive information and modify access permissions.

Exploitation requires an account that can create group channels or ownership of an existing channel, and restrictive sharing permissions must be configured for regular users.


7) Improper access control (CVE-ID: CVE-2026-44557)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in retrieval query endpoints when querying the knowledge-bases meta-collection. A remote user can send a specially crafted request to disclose sensitive information.

The issue exposes knowledge base metadata, including IDs, names, and descriptions, across all users on the instance.


8) Improper access control (CVE-ID: CVE-2026-44554)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to overwrite another user's knowledge base content and cause a denial of service.

The vulnerability exists due to improper access control in the retrieval web and YouTube processing endpoints when processing a user-supplied collection name with overwrite enabled. A remote user can send a specially crafted request targeting another user's collection to overwrite another user's knowledge base content and cause a denial of service.

Exploitation requires knowledge of the target collection name, and the overwrite behavior deletes the existing vector collection before writing attacker-controlled content.


9) Improper Authentication (CVE-ID: CVE-2026-44551)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to bypass authentication and gain access to another user's account.

The vulnerability exists due to improper authentication in the LDAP authentication endpoint when processing LDAP login requests with an empty password. A remote attacker can submit a valid LDAP username and an empty password to bypass authentication and gain access to another user's account.

Exploitation requires LDAP authentication to be enabled, the underlying LDAP server to accept unauthenticated simple binds with empty passwords, and knowledge of a valid LDAP username.


10) Improper access control (CVE-ID: CVE-2026-44563)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass model access controls and access restricted model information and compute resources.

The vulnerability exists due to improper access control in the Ollama proxy endpoints in backend/open_webui/routers/ollama.py when handling direct requests to /api/generate, /api/embed, /api/embeddings, and /api/show. A remote user can send requests with a restricted model name to bypass model access controls and access restricted model information and compute resources.

Exploitation requires Ollama to be configured as a backend, model access control to be enabled, and knowledge of the restricted model name.


11) Improper access control (CVE-ID: CVE-2026-44562)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to overwrite any existing model and modify its access grants.

The vulnerability exists due to improper access control in the POST /api/v1/models/import endpoint when handling model import requests with an ID matching an existing model. A remote user can send a specially crafted import request to overwrite any existing model and modify its access grants.

Exploitation requires the workspace.models_import permission and knowledge of the target model ID.


12) Improper access control (CVE-ID: CVE-2026-44560)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in get_sources_from_items in the RAG source resolution logic when processing chat completion requests that reference file or knowledge base vector collections. A remote user can send a specially crafted chat completion request referencing a target file ID or knowledge base collection name to disclose sensitive information.

Exploitation requires knowledge of the target file ID or knowledge base ID, and the target resource must already be processed into the vector store.


13) Missing Authorization (CVE-ID: CVE-2026-44559)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the GET /api/v1/channels/{id}/members endpoint when handling requests for standard channels. A remote user can send a request for a private channel's member list to disclose sensitive information.

Channels must be enabled, and exploitation requires knowledge of the target channel UUID.


14) Improper access control (CVE-ID: CVE-2026-44564)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify collaborative documents and cause a denial of service.

The vulnerability exists due to improper access control in the ydoc:document:update Socket.IO event handler when handling collaborative document update events from users who have only joined the document room with read permission. A remote user can send a specially crafted Socket.IO update event to modify collaborative documents and cause a denial of service.

If a user with write access saves the document, the tampered content may be persisted. The issue affects in-memory Yjs document state and the changes are broadcast to other collaborators in real time.


15) Improper Authorization (CVE-ID: CVE-2026-44561)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to read channel messages and modify channel messages after deactivation.

The vulnerability exists due to improper access control in is_user_channel_member authorization check in backend/open_webui/models/channels.py when handling direct API requests to group or DM channel message endpoints. A remote user can send crafted API requests to read channel messages and modify channel messages after deactivation.

Only instances with the channels feature enabled are vulnerable. Exploitation requires prior membership in the target channel and knowledge of the channel ID.


16) Missing Authorization (CVE-ID: CVE-2026-44556)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service and disclose sensitive information.

The vulnerability exists due to missing authorization in the /responses endpoint when handling POST requests to /api/openai/responses with an arbitrary model ID. A remote user can send a specially crafted request to cause a denial of service and disclose sensitive information.

The endpoint forwards requests directly to upstream LLM providers without enforcing per-model access control, but it does not expose workspace-specific model configurations or related confidential data through this vector.


Remediation

Install update from vendor's website.