CVE-2026-59226
Received Received - Intake

Privilege Escalation in Open WebUI via Automation Rehydration

Vulnerability report for CVE-2026-59226, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0, execute_automation rehydrated automation owners without rechecking that they were still active or still had features.automations, and check_model_access only enforced private-model grants for the exact user role, allowing deactivated pending users to continue scheduled model execution. This issue is fixed in version 0.10.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
open_webui open_webui to 0.10.0 (exc)
open_webui open_webui 0.10.0
open_webui open_webui From 0.9.0|end_excluding=0.10.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in Open WebUI allows deactivated or unauthorized users to continue executing scheduled automations and access models improperly, which could lead to unauthorized use of system resources.

However, the issue does not enable unauthenticated access, account takeover, or data exfiltration, and primarily affects availability by allowing unauthorized resource consumption.

Given this, the vulnerability may have limited direct impact on compliance with data protection regulations like GDPR or HIPAA, which focus on confidentiality and integrity of personal data, since no data breach or unauthorized data access is indicated.

Nonetheless, improper authorization and continued execution by deactivated users could pose risks to operational security and resource management, which might indirectly affect compliance posture depending on organizational policies.

Executive Summary

The vulnerability in Open WebUI versions 0.9.0 to before 0.10.0 involves two authorization gaps. First, the automation scheduler (execute_automation) would rehydrate the owner of an automation without rechecking if the user was still active or had the necessary permissions, allowing deactivated or pending users to continue running scheduled automations using provider credentials. Second, the model access control (check_model_access) only enforced permissions for users with the exact 'user' role, letting other non-admin roles, including pending users, bypass access restrictions and improperly access models.

These issues were fixed in version 0.10.0 by adding permission revalidation before automation execution and enforcing access control checks for all non-admin roles, denying access by default if unauthorized.

Impact Analysis

This vulnerability can allow deactivated or pending user accounts to continue executing scheduled automations and accessing models without proper authorization. This unauthorized execution can lead to unintended consumption of model-provider credentials and resources, potentially impacting system availability.

However, it does not enable unauthenticated access, account takeover, or data exfiltration.

Detection Guidance

This vulnerability involves authorization gaps that allow deactivated or pending user accounts to continue executing scheduled automations and accessing models improperly.

To detect this vulnerability on your system, you should monitor scheduled automation executions and verify whether any automations are running under deactivated or pending user accounts.

Specifically, check logs or audit trails for automation runs where the owner is a user with a 'pending' status or without the required 'features.automations' permission.

Commands or queries to detect this might include:

  • Query the automation scheduler logs for executions by user IDs that are marked as deactivated or pending.
  • Check user account statuses in your user management system to identify any pending or deactivated users who have scheduled automations.
  • Audit model access logs to find accesses by non-admin roles other than the exact 'user' role, which might indicate bypass of ACL enforcement.

Since the vulnerability is related to internal permission checks, specific commands depend on your logging and monitoring setup, but focusing on automation execution logs and user status correlation is key.

Mitigation Strategies

The immediate mitigation step is to upgrade Open WebUI to version 0.10.0 or later, where this vulnerability has been fixed.

The fix includes revalidating the automation owner’s permissions before executing scheduled automations and enforcing model access control lists (ACLs) for all non-admin roles, preventing unauthorized execution and access.

If upgrading immediately is not possible, consider temporarily disabling scheduled automations or restricting automation execution to only active users with verified permissions.

Additionally, review and tighten your user role assignments and permissions, ensuring that deactivated or pending users do not retain automation or model access privileges.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59226. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart