IDOR Vulnerability in Open WebUI Self-Hosted AI Platform
CVE-2026-44569

7.1HIGH

Key Information:

Vendor: Open-webui
Status: Open-webui
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-44569?

Open WebUI, an offline self-hosted artificial intelligence platform, suffers from an Insecure Direct Object Reference (IDOR) vulnerability in its message management system. This flaw allows authenticated users to modify or delete any message within channels they can access, due to improper validation of message ownership on the backend APIs. Although the frontend implements certain checks to restrict actions to the rightful owners or administrators, the backend fails to validate if the user requesting the message modification actually owns it. As a result, an attacker could exploit this oversight to compromise content integrity and privacy. This issue has been resolved in version 0.6.19.

Affected Version(s)

open-webui < 0.6.19

References

https://github.com/open-webui/open-webui/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44569 Data

JSON

Open-webui

What is CVE-2026-44569?

Affected Version(s)

References

CVSS V3.1

Timeline