CVE-2026-44556: Open WebUI API Bypasses LLM Access Controls

/HIGH /CVSS 7.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-284cwe-862
CVE-2026-44556: Open WebUI API Bypasses LLM Access Controls

The National Vulnerability Database has disclosed CVE-2026-44556, a high-severity vulnerability (CVSS 7.1) in Open WebUI, a self-hosted AI platform. Versions prior to 0.9.0 are affected. The /responses endpoint within the OpenAI router fails to enforce per-model access control, allowing any authenticated user to interact with any configured Large Language Model (LLM) on the instance.

While the primary chat completion endpoint (generate_chat_completion) correctly validates model ownership and group memberships, the /responses proxy only verifies a valid user session. This oversight enables an authenticated attacker to bypass intended restrictions and send POST requests to /api/openai/responses with an arbitrary model ID, effectively gaining unauthorized access to LLMs they should not be able to use. This is a critical design flaw (CWE-284, CWE-862) that undermines the platform’s security model.

This vulnerability is patched in Open WebUI version 0.9.0. Defenders leveraging Open WebUI must prioritize upgrading immediately. Failing to do so creates a clear path for internal users, or compromised accounts, to abuse LLM resources, potentially exfiltrating sensitive data or exceeding rate limits on expensive models. The attacker’s calculus here is simple: find an authenticated session, then pivot to any LLM without further authorization checks.

What This Means For You

  • If your organization uses Open WebUI, you must patch to version 0.9.0 immediately. This isn't just about unauthorized access; it's about a fundamental breach of your LLM access control strategy. Audit your Open WebUI instances for unpatched versions and ensure all internal users are operating with the principle of least privilege. This vulnerability exposes a clear attack vector for insider abuse or post-compromise lateral movement.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Cloud Accounts Persistence T1539 Steal Application Access Token Credential Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-44556: Open WebUI Unauthenticated Access to /responses Endpoint

Sigma YAML — free preview 
title: CVE-2026-44556: Open WebUI Unauthenticated Access to /responses Endpoint
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
  Detects attempts to access the /api/openai/responses endpoint via POST request. This specific endpoint in Open WebUI versions prior to 0.9.0 bypasses access controls, allowing any authenticated user to interact with any configured LLM model by specifying an arbitrary model ID in the request. This rule specifically targets the vulnerable endpoint to identify potential exploitation of CVE-2026-44556.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44556/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/api/openai/responses'
      cs-method:
          - 'POST'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44556 Auth Bypass Open WebUI versions prior to 0.9.0
CVE-2026-44556 Auth Bypass Open WebUI vulnerable endpoint: /api/openai/responses
CVE-2026-44556 Auth Bypass Open WebUI vulnerable component: OpenAI router

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 15, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

radare2 Use-After-Free (CVE-2026-8696) Risks Denial of Service, RCE

CVE-2026-8696 — radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_pids_list() function within the GDB client core that allows remote attackers to cause a denial...

vulnerabilityCVEhigh-severityuse-after-freecwe-416
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 2 Sigma

CVE-2026-45675: Open WebUI Vulnerable to Admin Role Race Condition

CVE-2026-45675 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use...

vulnerabilityCVEhigh-severitycwe-269cwe-362
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-45671: Open WebUI File Deletion Flaw Impacts Self-Hosted AI

CVE-2026-45671 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files...

vulnerabilityCVEhigh-severitycwe-639
/SCW Vulnerability Desk /HIGH /8 /⚑ 4 IOCs /⚙ 3 Sigma