GHSA-4vg5-rp28-gvjf HIGH pip/open-webui

CVE: CVE-2026-44567

**CONFIDENTIAL**

Vulnerability Disclosure Analysis Documentation

Vulnerability Details

#FieldValue 1**Discoverer**Taylor Pennington of KoreLogic, Inc. 2**Date Submitted**June 11, 2024 3**Title**Open WebUI Improper Authorization Control 5**Affected Vendor**Open WebUI 6**Affected Product(s)**Open WebUI (Formerly Ollama WebUI) 7**Affected Version(s)**0.1.105 8**Platform/OS**Debian GNU/Linux 12 (bookworm) 9**Vector**HTTP web interface 10**CWE**285 Improper Authorization

4. High-level Summary

There is a missing authorization check affecting user accounts with a pending status allowing the user to make authenticated API calls as a user context.

11. Technical Analysis

The Open WebUI web application has three user role classifications: user, admin, and pending. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is set to pending. In this configuration, an administrator is required to go into the Admin management panel following a new user registration and reconfigure the user to have a role of either user or admin before that user is able to access the web application. However, this check is only enforced at the client presentation layer, the API does not properly validate that the user has an authorized user role of user.

Request

POST /api/v1/auths/signup HTTP/1.1
Host: openwebui.example.com
Content-Length: 60

{ 
 "name": "", 
 "email": "bad_guy@korelogic.com", 
 "password": "a" 
 }

Response

HTTP/1.1 200 OK
...

{
"id": "f839557a-031a-47a5-9999-0b0998f8f959",
"email": "bad_guy@korelogic.com",
"name": "",
"role": "pending",
"profile_image_url": "/user.png",
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImY4Mzk1NTdhLTAzMWEtNDdhNS05OTk5LTBiMDk5OGY4Zjk1OSJ9.Bk-S4ABXb1tRuiVNfOJYbQFB8ewixWA4a1FohvIZARs",
"token_type": "Beare

📌 来源: GitHub-Advisory | 🆔 CVE-2026-44567 | 📅 2026-05-08