CVE-2026-44550

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0

Description Open WebUI is a self-hosted artificial intelligence platform. A mass assignment issue exists where the FolderForm uses a configuration that permits arbitrary fields to pass through Pydantic validation. In the insert new folder function, the server-assigned user id is overwritten by user-supplied data from the POST body. This allows an authenticated attacker to specify a different user id when calling the '/api/v1/folders/' endpoint, enabling them to create folders in other users' accounts. This can be used for phishing by planting folders with deceptive names or for spamming a victim's interface. The user id variable is the primary vector for this overwrite.

Recommendations Update to version 0.9.0.