CVE-2026-44563

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0

Description Four Ollama proxy endpoints accept any model name from the user and forward the request to the Ollama backend without verifying if the user is authorized to access that model. While these endpoints require an authenticated non-pending user and validate that the model exists, they fail to check AccessGrants.has access(). This allows unauthorized users to consume GPU and compute resources on restricted models and expose restricted model configurations, including system prompts, parameters, templates, and license information. The affected endpoints are '/api/generate', '/api/embed', '/api/embeddings', and '/api/show'.

Recommendations Update to version 0.9.0.