CVE-2026-44556

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0

Description The '/responses' endpoint in the OpenAI router allows any authenticated user to forward requests to upstream LLM providers without enforcing per-model access control. While the generate chat completion() function validates model ownership, group membership, and AccessGrants, the '/responses' proxy only verifies the user session via get verified user(). Consequently, an authenticated user can interact with any configured model by sending a POST request to '/api/openai/responses' using an arbitrary model ID. This can lead to Model Denial of Service by exhausting API budgets or rate limits through resource-intensive models, and Model Theft via unauthorized interaction with fine-tuned or self-hosted models, effectively bypassing administrative access policies.

Recommendations Update to version 0.9.0.