CVE-2026-44567

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.1.124

Description An improper authorization control exists where the API fails to validate if a user possesses an authorized role of user or admin. When the platform is configured to allow new sign-ups, new accounts are assigned a pending role by default, which should restrict access to the web application until an administrator approves the account. However, this restriction is only enforced at the client presentation layer. An attacker can use a JSON Web Token (JWT) obtained during registration to make authenticated API calls, bypassing the intended restrictions. For example, the /ollama/api/tags endpoint can be accessed by a user with a pending role. The issue stems from the get current user() function, which only verifies the validity of the JWT without checking the associated user role.

Recommendations Update to version 0.1.124. As a temporary mitigation, modify all authenticated endpoints to utilize the get verified user() function instead of get current user() to ensure the user role is properly validated.