2 matches found
CVE-2026-44550 Open WebUI: Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, FolderForm uses modelconfig = ConfigDictextra='allow', which permits arbitrary fields to pass through Pydantic validation and be included in modeldumpexcludeunset=True. In...
CVE-2026-44550
Open WebUI prior to 0.9.0 vulnerable to mass assignment via Pydantic extra='allow' in FolderForm. The server constructs a FolderModel by merging attacker-controlled extra fields (from form_data.model_dump(exclude_unset=True)) over a server-populated user_id, and because user_id is a real field, a...