CVE-2026-44563: Open WebUI's Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show

May 8, 2026

Four Ollama proxy endpoints accept any model name from the user and forward the request to the Ollama backend without checking whether the user is authorized to access that model. These endpoints only require get_verified_user (any authenticated non-pending user) and validate that the model exists in the full unfiltered model list, but never check AccessGrants.has_access().

This is in direct contrast with the /ollama/api/chat endpoint (line 1101-1122) which correctly validates model access grants and returns 403 for unauthorized users:

References

github.com/advisories/GHSA-rcvp-6fgw-c7fh
github.com/open-webui/open-webui
github.com/open-webui/open-webui/security/advisories/GHSA-rcvp-6fgw-c7fh
nvd.nist.gov/vuln/detail/CVE-2026-44563

Code Behaviors & Features

Detect and mitigate CVE-2026-44563 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →