GHSA-hp5m-24vp-vq2q

Suggest an improvement
Source
https://github.com/advisories/GHSA-hp5m-24vp-vq2q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-hp5m-24vp-vq2q/GHSA-hp5m-24vp-vq2q.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hp5m-24vp-vq2q
Aliases
  • CVE-2026-44556
Published
2026-05-08T19:45:53Z
Modified
2026-05-08T20:05:47.783639Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVSS Calculator
Summary
Open WebUI's responses passthrough endpoint lacks access control authorization
Details

Summary

The /responses endpoint in the OpenAI router accepts any authenticated user and forwards requests directly to upstream LLM providers without enforcing per-model access control. While the primary chat completion endpoint (generatechatcompletion) checks model ownership, group membership, and AccessGrants before allowing a request, the /responses proxy only validates that the user has a valid session via getverifieduser.

This allows any authenticated user — regardless of role or group assignment — to interact with any model configured on the instance by sending a POST request to /api/openai/responses with an arbitrary model ID.

Impact

As per OWASP TOP 10 LLM:

  • Model Denial of Service (OWASP LLM04): An unauthorized user can submit resource-intensive requests to expensive models (e.g., o1-pro, GPT-4o) that were explicitly restricted by the administrator. In shared deployments, this can exhaust API budgets or rate limits, causing total service disruption for all legitimate users.

  • Model Theft (OWASP LLM10): If the instance proxies access to fine-tuned or self-hosted models, unauthorized users can freely interact with them, enabling capability extraction or model distillation without authorization.

  • Access Policy Bypass: Administrators lose the ability to enforce cost-tier restrictions, team-based model assignments, or compliance boundaries through the existing access control system.

The endpoint is a raw passthrough proxy and does not resolve workspace model configurations (system prompts, knowledge bases, RAG pipelines). Therefore, workspace-specific confidential data is not directly exposed through this vector.

PR: https://github.com/open-webui/open-webui/pull/23481

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T19:45:53Z",
    "cwe_ids": [
        "CWE-284",
        "CWE-862"
    ],
    "severity": "HIGH",
    "nvd_published_at": null
}
References

Affected packages

PyPI / open-webui

Package

Name
open-webui
View open source insights on deps.dev
Purl
pkg:pypi/open-webui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.9.0

Affected versions

0.*
0.1.124
0.1.125
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.3.10
0.3.12
0.3.13
0.3.14
0.3.15
0.3.16
0.3.17.dev2
0.3.17.dev3
0.3.17.dev4
0.3.17.dev5
0.3.17
0.3.18
0.3.19
0.3.20
0.3.21
0.3.22
0.3.23
0.3.24
0.3.25
0.3.26
0.3.27.dev1
0.3.27.dev2
0.3.27.dev3
0.3.27
0.3.28
0.3.29
0.3.30.dev1
0.3.30.dev2
0.3.30
0.3.31.dev1
0.3.31
0.3.32
0.3.33.dev1
0.3.33
0.3.34
0.3.35
0.4.0.dev1
0.4.0.dev2
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6.dev1
0.4.6
0.4.7
0.4.8
0.5.0.dev1
0.5.0.dev2
0.5.0
0.5.1
0.5.2
0.5.3.dev1
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.8
0.5.9
0.5.10
0.5.11
0.5.12
0.5.13
0.5.14
0.5.15
0.5.16
0.5.17
0.5.18
0.5.19
0.5.20
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6.dev1
0.6.6
0.6.7
0.6.8
0.6.9
0.6.10
0.6.11
0.6.12
0.6.13
0.6.14
0.6.15
0.6.16
0.6.18
0.6.19
0.6.20
0.6.21
0.6.22
0.6.23
0.6.24
0.6.25
0.6.26.dev1
0.6.26
0.6.27
0.6.28
0.6.29
0.6.30
0.6.31
0.6.32
0.6.33
0.6.34
0.6.35
0.6.36
0.6.37
0.6.38
0.6.39
0.6.40
0.6.41
0.6.42
0.6.43
0.7.0
0.7.1
0.7.2
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.8.10
0.8.11
0.8.12

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-hp5m-24vp-vq2q/GHSA-hp5m-24vp-vq2q.json"
last_known_affected_version_range 
"<= 0.8.12"