CVE-2026-59226
Severity CVSS v4.0:
Pending analysis
Type:
CWE-285
Improper Authorization
Publication date:
09/07/2026
Last modified:
10/07/2026
Description
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0, execute_automation rehydrated automation owners without rechecking that they were still active or still had features.automations, and check_model_access only enforced private-model grants for the exact user role, allowing deactivated pending users to continue scheduled model execution. This issue is fixed in version 0.10.0.
Impact
Base Score 3.x
3.10
Severity 3.x
LOW
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:* | 0.9.0 (including) | 0.10.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



