CVE-2026-44555: Open WebUI Exposes Restricted AI Models

/HIGH /CVSS 7.6/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-862
CVE-2026-44555: Open WebUI Exposes Restricted AI Models

The National Vulnerability Database highlights CVE-2026-44555, a high-severity flaw in Open WebUI, a self-hosted AI platform. This vulnerability, present in versions prior to 0.9.0, stems from an inadequate access control mechanism. Open WebUI allows users to compose new AI models by referencing existing ‘base models.’ The critical oversight is that while the platform verifies user access to the composed model, it fails to re-verify access to the chained base model.

This creates a significant bypass. Any user with default model creation permissions can craft a model that links to a restricted base model. When that crafted model is invoked, the server dispatches the request to the restricted base model using the administrator’s API key. This effectively grants unauthorized users access to sensitive or high-cost AI models they should not be able to use, leveraging the admin’s privileges.

This is a classic authorization bypass, rated 7.6 CVSS, and it’s fixed in Open WebUI version 0.9.0. Organizations using this platform need to understand that the attacker’s calculus here is simple: leverage a trusted internal component to access resources they are explicitly denied. It’s not about exploiting a complex buffer overflow; it’s about logic flaws in authorization that have real-world implications for resource control and potential data exposure.

What This Means For You

  • If your organization uses Open WebUI, you must immediately upgrade to version 0.9.0 or later to patch CVE-2026-44555. Audit your Open WebUI instances for any custom models that might be chaining to restricted base models, even if they appear to be legitimate. Unauthorized access to AI models can lead to resource abuse, intellectual property leakage, or the exfiltration of sensitive data processed by those models.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Abuse Elevated Credentials Privilege Escalation

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-44555: Open WebUI Unauthorized Restricted Model Access

Sigma YAML — free preview 
title: CVE-2026-44555: Open WebUI Unauthorized Restricted Model Access
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
  Detects attempts to access restricted AI models in Open WebUI by exploiting the model composition vulnerability (CVE-2026-44555). This rule specifically looks for API calls to the chat completions endpoint that include a 'base_model_id' parameter, indicating a potential attempt to chain to a restricted model without proper authorization. This is the primary detection vector for the vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44555/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/api/v1/chat/completions'
      cs-method:
          - 'POST'
      sc-status:
          - '200'
  selection_indicators:
      cs-uri-query|contains:
          - 'base_model_id'
      condition: selection AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44555 Auth Bypass Open WebUI versions prior to 0.9.0
CVE-2026-44555 Auth Bypass Open WebUI model composition via base_model_id
CVE-2026-44555 Auth Bypass Open WebUI model creation and import endpoints accepting arbitrary base_model_id values
CVE-2026-44555 Information Disclosure Access to restricted base models via composed models in Open WebUI

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 15, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

radare2 Use-After-Free (CVE-2026-8696) Risks Denial of Service, RCE

CVE-2026-8696 — radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_pids_list() function within the GDB client core that allows remote attackers to cause a denial...

vulnerabilityCVEhigh-severityuse-after-freecwe-416
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 2 Sigma

CVE-2026-45675: Open WebUI Vulnerable to Admin Role Race Condition

CVE-2026-45675 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use...

vulnerabilityCVEhigh-severitycwe-269cwe-362
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-45671: Open WebUI File Deletion Flaw Impacts Self-Hosted AI

CVE-2026-45671 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files...

vulnerabilityCVEhigh-severitycwe-639
/SCW Vulnerability Desk /HIGH /8 /⚑ 4 IOCs /⚙ 3 Sigma