VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-nxvm-97r4-6ybz

Essentials
Severities (13)
References (5)
Severity details (9)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-nxvm-97r4-6ybz
Aliases	CVE-2026-44560 GHSA-h36f-rqpx-j5wx
Summary	Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the type: "file" (non-full-context), type: "text" with collection_name, and bare collection_name/collection_names paths in the get_sources_from_items function perform vector store queries without any authorization check, allowing users to extract content from files and knowledge bases they do not have access to. This vulnerability is fixed in 0.9.0.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-862	Missing Authorization
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2026-44560
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2026-44560
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2026-44560
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2026-44560
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-h36f-rqpx-j5wx
cvssv3.1	6.5	https://github.com/open-webui/open-webui
generic_textual	MODERATE	https://github.com/open-webui/open-webui
cvssv3.1	6.5	https://github.com/open-webui/open-webui/security/advisories/GHSA-h36f-rqpx-j5wx
cvssv3.1_qr	MODERATE	https://github.com/open-webui/open-webui/security/advisories/GHSA-h36f-rqpx-j5wx
generic_textual	MODERATE	https://github.com/open-webui/open-webui/security/advisories/GHSA-h36f-rqpx-j5wx
ssvc	Track	https://github.com/open-webui/open-webui/security/advisories/GHSA-h36f-rqpx-j5wx
cvssv3.1	6.5	https://nvd.nist.gov/vuln/detail/CVE-2026-44560
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2026-44560

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-44560
		https://github.com/open-webui/open-webui
		https://nvd.nist.gov/vuln/detail/CVE-2026-44560
GHSA-h36f-rqpx-j5wx		https://github.com/advisories/GHSA-h36f-rqpx-j5wx
GHSA-h36f-rqpx-j5wx		https://github.com/open-webui/open-webui/security/advisories/GHSA-h36f-rqpx-j5wx

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/open-webui/open-webui

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/open-webui/open-webui/security/advisories/GHSA-h36f-rqpx-j5wx

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-15T21:09:48Z/ Found at https://github.com/open-webui/open-webui/security/advisories/GHSA-h36f-rqpx-j5wx

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-44560

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.10234
EPSS Score	0.00033
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:42:47.496240+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2026/44xxx/CVE-2026-44560.json	38.6.0