CVE-2026-59226 in Open WebUI
Summary
by MITRE • 07/09/2026
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0, execute_automation rehydrated automation owners without rechecking that they were still active or still had features.automations, and check_model_access only enforced private-model grants for the exact user role, allowing deactivated pending users to continue scheduled model execution. This issue is fixed in version 0.10.0.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/09/2026
The vulnerability described affects Open WebUI versions between 0.9.0 and 0.10.0, specifically within the automation and access control mechanisms of this self-hosted AI platform. The core security flaw manifests in two interconnected areas that together create a persistent privilege escalation vector. When execute_automation processes rehydrate automation owners, it fails to validate whether these users remain active or retain appropriate permissions within the system. This rehydration process occurs without proper authorization checks, allowing inactive or pending users to continue executing scheduled automation tasks despite their status changes.
The second component of this vulnerability involves the check_model_access function which inadequately enforces private model access controls. This function only validates access permissions based on exact user role matches rather than implementing comprehensive access validation that considers user status and permission states. As a result, deactivated users who were previously granted pending access to automation features can continue executing scheduled model operations even after their accounts have been disabled or suspended. This represents a significant bypass of the intended access control architecture.
The technical implications of this vulnerability align with CWE-284, which addresses improper access control mechanisms in software systems. The flaw essentially creates a persistent backdoor where inactive users maintain elevated privileges through stale automation contexts. From an operational perspective, this vulnerability allows attackers who gain access to deactivated user credentials or can manipulate the system to continue executing unauthorized automation tasks. The impact extends beyond simple privilege escalation as it enables continued execution of potentially malicious automation workflows that could compromise data integrity and system availability.
The attack surface for this vulnerability encompasses scenarios where users transition from active to inactive states through legitimate account deactivation processes, system maintenance procedures, or security incidents. Attackers could exploit this by either maintaining access through compromised deactivated accounts or by manipulating the automation rehydration process to restore access to previously disabled user contexts. This creates a persistent threat vector that could remain undetected for extended periods, as the system continues to execute scheduled tasks without proper authorization verification.
The fix implemented in version 0.10.0 addresses these issues through enhanced validation mechanisms that ensure proper authorization checks occur during automation rehydration processes and that access controls properly account for user status changes. This solution aligns with ATT&CK technique T1078.004 which covers legitimate credentials and privileges, ensuring that system components properly validate user authentication states before granting continued access to automated processes. Organizations should implement immediate patching of affected systems and conduct thorough audits of automation workflows to identify any unauthorized access patterns that may have occurred during the vulnerable period.