Open WebUI CVE-2026-44570: Inconsistent Auth Exposes User AI Memories

/HIGH /CVSS 8.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-639
Open WebUI CVE-2026-44570: Inconsistent Auth Exposes User AI Memories

The National Vulnerability Database has disclosed CVE-2026-44570, a high-severity vulnerability (CVSS 8.3) in Open WebUI, a self-hosted AI platform. Prior to version 0.6.19, inconsistent authorization controls within the memories API allowed standard users to view, delete, and even restore the AI memories of other users. This is a critical flaw for any organization leveraging Open WebUI, especially given its offline design implies a higher expectation of data isolation.

Specifically, a non-admin user could use the /api/v1/memories/query endpoint to list existing memories across the platform. Furthermore, while direct modification via /api/v1/memories/{memory_id}/update was blocked, the endpoint would still leak the content of a memory if a valid ID was supplied. The most egregious flaw was the /api/v1/memories/{memory_id} DELETE endpoint, which any user could invoke to erase another user’s memories, with the possibility to restore them later via the update endpoint. This undermines the fundamental privacy and integrity of user data within the AI platform.

This vulnerability, categorized as CWE-639 (Authz Bypass Through Incorrect Authorization), highlights a common pitfall in API design where access controls are not uniformly enforced across all CRUD operations. Defenders must recognize that even internal applications require robust, granular authorization, especially when handling sensitive or personalized data like AI conversation histories. The fix is available in Open WebUI version 0.6.19, and immediate patching is non-negotiable.

What This Means For You

  • If your organization uses Open WebUI, you need to patch to version 0.6.19 immediately. This vulnerability allows any standard user to access, delete, and restore the AI conversation memories of other users, leading to severe data privacy and integrity issues. Audit logs for suspicious memory API activity prior to patching.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1087.001 Account Discovery Discovery T1529 System Shutdown/Reboot Impact

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-44570: Open WebUI Unauthorized Memory Access via API Query

Sigma YAML — free preview 
title: CVE-2026-44570: Open WebUI Unauthorized Memory Access via API Query
id: scw-2026-05-15-ai-1
status: experimental
level: critical
description: |
  Detects attempts by unauthorized users to query other users' AI memories using the POST /api/v1/memories/query endpoint. This is a direct indicator of exploitation for CVE-2026-44570, allowing attackers to view sensitive user data.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44570/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-method:
          - 'POST'
      cs-uri:
          - '/api/v1/memories/query'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44570 Information Disclosure Open WebUI versions prior to 0.6.19 - POST /api/v1/memories/query
CVE-2026-44570 Information Disclosure Open WebUI versions prior to 0.6.19 - POST /api/v1/memories/{memory_id}/update
CVE-2026-44570 Auth Bypass Open WebUI versions prior to 0.6.19 - DELETE /api/v1/memories/{memory_id}
CVE-2026-44570 Auth Bypass Open WebUI versions prior to 0.6.19 - POST /api/v1/memories/{memory_id}/update (to restore deleted memories)

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 16, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Open WebUI XSS Allows Privilege Escalation to Super Admin

CVE-2026-45665 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, a Stored Cross-Site Scripting (XSS) vulnerability exists...

vulnerabilityCVEhigh-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-45351 — Open WebUI is a self-hosted artificial intelligence

CVE-2026-45351 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.9, when a regular user [non-admin] logs into...

vulnerabilityCVEmedium-severitycwe-200
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-45350: Open WebUI API Flaw Exposes Tools to Unauthorized Access

CVE-2026-45350 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, there is a vulnerability in chat completion...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 4 IOCs /⚙ 3 Sigma