Vulnerability in Open WebUI AI Platform Allows Unauthorized Message Updates
CVE-2026-44571

6.5MEDIUM

Key Information:

Vendor: Open-webui
Status: Open-webui
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-44571?

A vulnerability in Open WebUI allows users without proper authorization to modify messages in standard channels. Specifically, when the access control is set to None, the endpoint /api/v1/channels/{channel_id}/messages/{message_id}/update improperly validates permissions. This means that users who are not the original message owners can update messages, leading to potential information tampering. The issue has been resolved in version 0.8.6 where appropriate access control checks are implemented.

Affected Version(s)

open-webui < 0.8.6

References

https://github.com/open-webui/open-webui/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44571 Data

JSON

Open-webui

What is CVE-2026-44571?

Affected Version(s)

References

CVSS V3.1

Timeline