Skip to main content

Open WebUI EUVDEUVD-2026-30605

| CVE-2026-45349 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-14 https://github.com/open-webui/open-webui GHSA-gfm2-xm6c-37qc
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 21:31 vuln.today
Analysis Generated
May 14, 2026 - 21:31 vuln.today
CVE Published
May 14, 2026 - 20:24 nvd
HIGH 7.1

DescriptionGitHub Advisory

Summary

Any user X can continue the conversation of any other user Y, as long as the Chat ID of Y is known. User X does not even need to be an admin to do so.

Details

A user just needs to use the API endpoint: /api/chat/completions with their own API key (generated in OWUI) and the Chat ID of another user. OWUI does not check to match the Chat ID with the user that created that Chat ID. Note that both users will need access to the same model. This is especially relevant if there is a shared pipeline model between users.

PoC

  1. Using OWUI v0.6.18
  2. Sign in with any user X
  3. Generate an API Key for user X using the settings
  4. Create another user Y, and have a conversation in OWUI. Copy the Chat ID from the URL.
  5. User X can now use the API /api/chat/completions and the Chat ID from step 4 to continue the conversation of user Y

Impact

Large impact to any user in OWUI. People can read your conversations, and access private information if they know your Chat ID (which is in the URL of the chat).

Resolution

Fixed in commit cf4218e68, first released in v0.9.0 (Apr 2026). The chat_completion handler at backend/open_webui/main.py:1868 now explicitly verifies chat ownership via Chats.is_chat_owner(chat_id, user.id) for any request that targets an existing chat, and raises 404 for non-owners (admin bypass preserved per the documented threat model). New chats (no chat_id supplied, or freshly inserted via the is_new_chat branch) are unaffected. Users on >= 0.9.0 are not affected.

AnalysisAI

Broken access control in Open WebUI's /api/chat/completions endpoint allows any authenticated user to read and continue other users' private conversations by supplying a known Chat ID. The API fails to verify chat ownership before granting access, exposing sensitive conversation data across multi-user deployments with shared AI models. Fixed in v0.9.0 via commit cf4218e68, which enforces ownership validation through Chats.is_chat_owner() checks. Exploitation requires low-privilege authentication (PR:L) and network access (AV:N), but no user interaction (UI:N) or special configuration-any default multi-user instance with shared pipelines is vulnerable. CVSS 7.1 (High) reflects network-accessible confidentiality breach (C:H) with limited integrity impact (I:L). No public exploit identified at time of analysis, but proof-of-concept published in GitHub advisory GHSA-gfm2-xm6c-37qc demonstrates trivial exploitation via legitimate API key usage.

Technical ContextAI

This vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), a subclass of broken access control where the application trusts client-supplied object identifiers without validating ownership. Open WebUI is a Python-based web interface for LLM interactions (distributed via PyPI as open-webui). The chat_completion handler in backend/open_webui/main.py accepted chat_id parameters from API requests but failed to cross-reference them against the authenticated user's identity. The CVSS vector PR:L (low privilege required) confirms that any authenticated user can exploit this-no admin rights needed. The fix introduces explicit ownership checks: before processing an existing chat (non-new, non-local), the code now calls Chats.is_chat_owner(chat_id, user.id) and returns HTTP 404 for non-owners (preserving admin override per design). The patch also refactors chat lifecycle management to distinguish new-chat creation (is_new_chat flag) from follow-up messages, ensuring proper isolation of user data.

RemediationAI

Upgrade to Open WebUI v0.9.0 or later (pip install --upgrade open-webui). The fix is implemented in commit cf4218e688def6f11d195aeda6665ae5b5376b67, which adds explicit chat ownership validation at backend/open_webui/main.py:1868 via the Chats.is_chat_owner() method. Users on versions 0.6.18-0.8.12 should prioritize this upgrade immediately for multi-tenant environments. If immediate patching is blocked, apply these compensating controls with the noted trade-offs: (1) Disable API key generation for non-admin users via admin panel-prevents low-privilege users from accessing /api/chat/completions directly but breaks legitimate API integrations and automation workflows. (2) Implement reverse proxy ACLs (e.g., nginx/Traefik) to restrict /api/chat/completions to admin source IPs only-mitigates remote exploitation but degrades usability for distributed teams and mobile access. (3) Segregate users into isolated Open WebUI instances (one per tenant) with no shared pipeline models-eliminates cross-user access but increases infrastructure overhead and operational complexity. None of these workarounds provide complete protection; upgrade to v0.9.0 is the only full remediation. Vendor advisory and patch commit linked at https://github.com/open-webui/open-webui/security/advisories/GHSA-gfm2-xm6c-37qc and https://github.com/open-webui/open-webui/commit/cf4218e688def6f11d195aeda6665ae5b5376b67.

Share

EUVD-2026-30605 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy