Open WebUI has grown significantly in adoption as teams look to run AI workloads locally or within private infrastructure. That growth also means the attack surface has expanded. These vulnerabilities are consequential precisely because of that deployment pattern: a compromised Open WebUI instance often has direct access to internal services, model backends, and potentially sensitive data passed to AI models.
CVE-2026-45400: Remote Code Execution via Model Import
CVE-2026-45400 is the most severe of the three. It allows an authenticated attacker to achieve remote code execution by abusing the model import functionality. When a user uploads or imports a model configuration file, the application processes its contents without sufficient validation. An attacker who can reach the import endpoint can craft a malicious payload that causes arbitrary server-side code to execute in the context of the Open WebUI process.
The severity is compounded by the fact that Open WebUI instances are frequently run with elevated privileges or in container environments where a breakout or lateral movement opportunity is meaningful. Depending on how the instance is deployed, exploitation could allow an attacker to access model weights, system configurations, internal API keys, or any data the server process can reach.
CVSS scoring reflects this: the vulnerability carries a critical rating, with network-accessible attack vector, low attack complexity once the attacker has valid credentials, and high impact across confidentiality, integrity, and availability.
CVE-2026-44566: Server-Side Request Forgery
CVE-2026-44566 is a server-side request forgery vulnerability in Open WebUI's URL-fetching and document retrieval functionality. The application allows users to provide external URLs for context retrieval, document import, or model pulling. Insufficient validation of these inputs allows an attacker to coerce the server into making requests to internal network destinations that would otherwise be inaccessible.
This type of vulnerability is particularly dangerous in cloud and containerized environments where internal metadata services, orchestration APIs, or adjacent microservices are reachable from the application server. An attacker exploiting CVE-2026-44566 could:
- Query cloud provider metadata endpoints to retrieve instance credentials or configuration
- Probe internal services not exposed to the external network
- Access Ollama's API directly to exfiltrate model data or manipulate inference
- Bypass network controls that assume external users cannot reach internal resources
SSRF is often underestimated but frequently enables privilege escalation or lateral movement that turns a moderate web vulnerability into a full infrastructure compromise.
CVE-2026-45675: Path Traversal Leading to Arbitrary File Read
CVE-2026-45675 is a path traversal vulnerability affecting file handling within Open WebUI. User-controlled input used in file path construction is not properly sanitized, allowing an attacker to traverse outside the intended directory and read arbitrary files accessible to the Open WebUI process.
In practice, this can expose:
- Configuration files containing API keys, database credentials, or secrets
- Model-related files and embeddings stored on disk
- System files such as
/etc/passwdor environment variable files that may contain sensitive values - Any other files the process user has read access to
While path traversal alone does not provide code execution, the information it leaks can directly enable other attacks or provide everything an attacker needs to move laterally.
Affected versions and remediation
All three vulnerabilities affect Open WebUI versions prior to the patched release. Users should upgrade to the latest available version as soon as possible. The project's GitHub releases page contains the patched builds and associated changelogs.
If an immediate upgrade is not possible:
- Restrict access to Open WebUI to trusted internal users only, using network-level controls
- Place the instance behind a VPN or zero-trust access gateway
- Disable or restrict URL-fetching and import features where they are not required
- Review container or host permissions to minimize what the process can access in the event of exploitation
- Audit logs for unusual outbound requests, file access patterns, or unexpected model imports
Why self-hosted AI infrastructure warrants more scrutiny
The rise of self-hosted AI tooling has introduced a new class of infrastructure that many security teams are not yet treating with the same rigor as production web applications. Open WebUI and similar tools often run with broad permissions, sit adjacent to sensitive data, and connect to APIs or model backends that were not designed with adversarial input in mind.
These three CVEs are a reminder that the "self-hosted = safer" assumption deserves to be challenged. An Open WebUI instance connected to an internal Ollama server and accessible over a corporate network is an attack surface that needs patching cycles, access controls, and monitoring like any other critical application.