CVE-2026-44567

Source
https://cve.org/CVERecord?id=CVE-2026-44567
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44567.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44567
Aliases
Published
2026-05-15T20:59:17.794Z
Modified
2026-07-08T08:13:27.506921334Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Open WebUI: Open WebUI Improper Authorization Control
Details

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is set to pending. In this configuration, an administrator is required to go into the Admin management panel following a new user registration and reconfigure the user to have a role of either user or admin before that user is able to access the web application. This vulnerability is fixed in 0.1.124.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44567.json",
    "cwe_ids": [
        "CWE-602",
        "CWE-863"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/open-webui/open-webui

Affected ranges

Type
GIT
Repo
https://github.com/open-webui/open-webui
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.1.124"
        }
    ]
}

Affected versions

v0.*
v0.1.102
v0.1.103
v0.1.104
v0.1.105
v0.1.106
v0.1.107
v0.1.108
v0.1.109
v0.1.110
v0.1.111
v0.1.112
v0.1.113
v0.1.114
v0.1.115
v0.1.116
v0.1.117
v0.1.118
v0.1.119
v0.1.120
v0.1.121
v0.1.122
v0.1.123

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44567.json"