Arbitrary Field Injection in Open WebUI FolderForm by Open WebUI
CVE-2026-44550

5MEDIUM

Key Information:

Vendor: Open-webui
Status: Open-webui
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-44550?

The FolderForm in Open WebUI, a self-hosted artificial intelligence platform, had a vulnerability that allowed arbitrary fields to bypass Pydantic validation prior to version 0.9.0. This issue arose from the use of model_config allowing extra fields, enabling attackers to exploit the insertion of arbitrary user IDs via the POST request. This flaw permitted unauthorized modifications to the FolderModel, leading to potential data integrity concerns. The vulnerability was effectively remedied in version 0.9.0, ensuring robust validation of user inputs.

Affected Version(s)

open-webui < 0.9.0

References

https://github.com/open-webui/open-webui/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44550 Data

JSON

Open-webui

What is CVE-2026-44550?

Affected Version(s)

References

CVSS V3.1

Timeline