CVE-2026-44555

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0

Description Open WebUI supports model composition through the base model id variable, allowing a user-defined model to reference a base model for inference. An access control flaw exists where the system verifies access to the composed model but fails to re-verify access to the underlying chained base model. Furthermore, the model creation and import endpoints accept arbitrary base model id values without validating if the caller has permission to access that base model. This allows users with model creation permissions to create a model that chains to a restricted base model and invoke it, causing the server to process the request using the admin-configured API key. This bypasses access grant policies and can lead to unauthorized use of premium or internal models.

Recommendations Update to version 0.9.0. As a temporary workaround, restrict the model creation and import permissions to trusted users only to prevent the creation of unauthorized model chains.