Cyber Resilience

CVE-2026-44556

High

Published: 15 May 2026

Published
15 May 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
EPSS Score 0.0001 2.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-44556 is a high-severity Improper Access Control (CWE-284) vulnerability in Openwebui Open Webui. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.

EU & UK References

Vulnerability details

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /responses endpoint in the OpenAI router accepts any authenticated user and forwards requests directly to upstream LLM providers without enforcing per-model access control.…

more

While the primary chat completion endpoint (generate_chat_completion) checks model ownership, group membership, and AccessGrants before allowing a request, the /responses proxy only validates that the user has a valid session via get_verified_user. This allows any authenticated user to interact with any model configured on the instance by sending a POST request to /api/openai/responses with an arbitrary model ID. This vulnerability is fixed in 0.9.0.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: artificial intelligence, llm, open webui, openai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization check on /responses API endpoint directly enables exploitation of the public/self-hosted web application to access restricted models.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-44555Same product: Openwebui Open Webui
CVE-2026-45350Same product: Openwebui Open Webui
CVE-2026-34222Same product: Openwebui Open Webui
CVE-2026-44567Same product: Openwebui Open Webui
CVE-2026-44551Same product: Openwebui Open Webui
CVE-2026-45400Same product: Openwebui Open Webui
CVE-2026-45315Same product: Openwebui Open Webui
CVE-2026-45331Same product: Openwebui Open Webui
CVE-2026-45398Same product: Openwebui Open Webui
CVE-2026-45399Same product: Openwebui Open Webui

Affected Assets

openwebui
open webui
≤ 0.9.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-284 CWE-862

The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.

addresses: CWE-284 CWE-862

Supervision and review of access control activities directly detects and remediates improper access configurations or usages.

addresses: CWE-284 CWE-862

Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions.

addresses: CWE-284 CWE-862

Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.

addresses: CWE-284 CWE-862

Requiring prior authorization for each remote access type prevents improper access control over remote connections.

addresses: CWE-284 CWE-862

Requiring authorization of wireless access before allowing connections enforces proper access control for this access method.

addresses: CWE-284 CWE-862

Requiring authorization and configuration controls for mobile device connections directly enforces access control and prevents unauthorized devices from reaching organizational systems.

addresses: CWE-284 CWE-862

Defining account types, requiring approvals for creation, specifying authorizations, monitoring usage, and reviewing accounts directly prevents improper access control by ensuring only authorized accounts exist and are used.

References