{"data":{"id":"8ec5bafb-79b8-4536-a589-807c217927f0","title":"CVE-2026-44563: Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /","summary":"Open WebUI, a self-hosted AI platform that runs offline, had a vulnerability before version 0.9.0 where certain API endpoints (like /api/generate and /api/embeddings) accepted any model name from users and sent requests to the backend without checking if those users had permission to use that model. The endpoints only verified that a user was logged in and that the model existed, but skipped the access control check (AccessGrants.has_access(), which determines what resources a user is allowed to access).","solution":"The vulnerability is fixed in version 0.9.0.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-44563","publishedAt":"2026-05-15T20:16:48.000Z","cveId":"CVE-2026-44563","cweIds":["CWE-862"],"cvssScore":"5.4","cvssSeverity":"medium","severity":"medium","attackType":["other"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["Open WebUI","Ollama"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L","attackVector":"network","attackComplexity":"low","privilegesRequired":"low","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-05-15T20:16:48.000Z","capecIds":["CAPEC-122"],"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}