Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
When setting model permissions so that a group has read access to it, intending for other users to use it, those users also can read the model's system prompt.
However users may consider their system prompt confidential, so we consider this a security issue.
Compare https://genai.owasp.org/llmrisk/llm072025-system-prompt-leakage/ or prompt injections to get popular chatbots on the internet to reveal their prompt.
Details
We discovered that users can open the workspace model edit page /workspace/models/edit?id=notmymodel for models that do not appear in their workspace.
Saving is not possible, that permission check is correct.
On the API level:
`/api/v1/models/model?id=notmymodel`-> returns the model details, most importantly params.system- even though
`/api/v1/models/list`does NOT contain the model since it checks for write permission. `/api/models`contains the model correctly and does not reveal the system prompt.
It seems inconsistent that the REST API list does not contain an item, but if you know the id, you can access it anyway.
PoC
- create model
- give read permission to group with another user
- other user can access
`/api/v1/models/model?id=notmymodel`
Impact
System prommpt leakage
If this is intended behavior for the "read" permission, maybe there should be an additional "use" permission (which would be 99% of use cases of the read permission i believe).
AnalysisAI
Open WebUI versions 0.9.4 and earlier expose model system prompts to users with read-only group permissions through inconsistent API permission checks. The /api/v1/models/model endpoint returns full model details including system prompts when accessed by authenticated users with read access, while the list endpoint correctly restricts visibility, creating a permission bypass that leaks confidential prompt engineering data. This affects collaborative environments where model sharing is intended for execution only, not inspection.
Technical ContextAI
Open WebUI is a Python-based LLM interface framework (pip package) that manages models with granular permission controls via group-based access lists. The vulnerability stems from inconsistent permission validation across multiple API endpoints: /api/v1/models/model?id=<id> applies read-level permission checks, while /api/v1/models/list and /api/models correctly enforce write-level access for disclosure. The root cause is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) - the system prompt field in the model params object is returned without sufficient authorization context, violating the principle of least privilege. Authenticated users with group-assigned read permissions can enumerate model IDs and directly query full model configurations, bypassing the intended information flow.
RemediationAI
Vendor-released patch: upgrade to Open WebUI version 0.9.5 or later immediately. Apply the patch from https://github.com/open-webui/open-webui/releases/tag/v0.9.5, which corrects permission checks on the /api/v1/models/model endpoint to enforce write-level access instead of read-level access for system prompt disclosure. As a temporary mitigation pending upgrade, restrict group membership assignments to trusted users only and audit all group-based model shares to identify potential prompt exposure. Disable direct API access to /api/v1/models/model via network controls if feasible, routing all model queries through /api/models endpoint instead (which correctly redacts system prompts), though this may break some UI workflows - test thoroughly before deployment. Monitor audit logs for repeated /api/v1/models/model queries by non-owner accounts as a signal of active exploitation.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30628
GHSA-h2cw-7qw9-56xr