Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
Any authenticated user with low privileges can enumerate active background tasks across the system and stop tasks belonging to other users via the GET /api/tasks and POST /api/tasks/stop/{task_id} methods. This allows a casual user to disrupt system-wide chat usage by continuously canceling other users' active tasks. This is a real authorization vulnerability affecting integrity and usability in multi-user deployments.
Details
Open WebUI exposes GET /api/tasks and POST /api/tasks/stop/{task_id} to any verified user. These endpoints operate on a global task namespace and accept raw task_id values without checking whether the task belongs to the current caller.
As a result, a normal authenticated user can enumerate active global task IDs and stop tasks belonging to other users.
Root cause:
- Route authorization is too weak.
In backend/open_webui/main.py, both endpoints only require get_verified_user:
@app.post('/api/tasks/stop/{task_id}')
async def stop_task_endpoint(request: Request, task_id: str, user=Depends(get_verified_user)):
result = await stop_task(request.app.state.redis, task_id)
@app.get('/api/tasks')
async def list_tasks_endpoint(request: Request, user=Depends(get_verified_user)):
return {'tasks': await list_tasks(request.app.state.redis)}get_verified_user accepts both user and admin roles in backend/open_webui/utils/auth.py.
- The helper operates on a global namespace.
In backend/open_webui/tasks.py, task listing is global:
async def list_tasks(redis):
if redis:
return await redis_list_tasks(redis)
return list(tasks.keys())In backend/open_webui/tasks.py, task stopping is by raw task_id:
async def stop_task(redis, task_id: str):
if redis:
item_id = await redis.hget(REDIS_TASKS_KEY, task_id)
await redis_send_command(redis, {'action': 'stop', 'task_id': task_id})
await redis_cleanup_task(redis, task_id, item_id or None)There is no owner check, no user_id check, and no mapping from task_id back to the current caller before stop or cleanup.
This also appears unintended because the codebase already has a scoped route, GET /api/tasks/chat/{chat_id}, which checks whether the chat belongs to the current user before returning task IDs.
Relevant code references:
backend/open_webui/main.py:1975backend/open_webui/main.py:1984backend/open_webui/main.py:1989backend/open_webui/tasks.py:127backend/open_webui/tasks.py:145backend/open_webui/utils/auth.py:415
Suggested remediation:
- Store task ownership metadata such as
user_idandchat_id, then enforce owner-only access for non-admin users - Suggested implementation locations:
backend/open_webui/main.py: add authentication checks for/api/tasksand/api/tasks/stop/{task_id}backend/open_webui/tasks.py: add support for storing/querying task ownership metadata such asuser_idandchat_id, and support owner-scoped listing/stopping
PoC
Preconditions:
- Default
mainbranch deployment - Authentication enabled
- Two normal user accounts, or any multi-user deployment where the attacker has one authenticated non-admin account
- At least one task actively running for another user
This does not require any weakened security settings.
PoC objective:
- Show that a non-admin user can see global active task IDs that are not their own
- Show that the same user can stop another user's active task
Reproduction steps:
Step 1. Victim starts a long-running task
Using the UI, User A starts a long response generation or another background task and leaves it running.
Expected security model: User B should not be able to see or control User A's task.
Step 2. Attacker enumerates global task IDs
Using User B's authenticated token:
curl -i -H "Authorization: Bearer <USER_B_TOKEN>" http://<open-webui-host>/api/tasksExpected result:
- only User B's own task IDs should be returned, or
- the endpoint should be admin-only
Actual result: the response returns the global active task list.
Example response shape:
{"tasks":["<task-id-a>","<task-id-b>"]}This exposes task IDs belonging to other users.
Step 3. Attacker stops a foreign task
Pick a task ID that belongs to User A and send:
curl -i -X POST -H "Authorization: Bearer <USER_B_TOKEN>" http://<open-webui-host>/api/tasks/stop/<FOREIGN_TASK_ID>Expected result:
403 Forbidden, or404 Not Foundfor non-owned tasks, or- admin-only access
Actual result: the server accepts the request and attempts to stop the foreign task.
Example response shape:
{"status":true,"message":"Task <FOREIGN_TASK_ID> stopped."}Step 4. Observe boundary violation
User A's running task is interrupted or disappears from the active task set even though User B does not own it.
What actions become possible that should not be possible:
- enumerate globally active task IDs across users
- cancel another user's in-progress generation or background work
- repeat this for every returned task ID, causing broad cross-user disruption
Copy-paste PoC summary:
- Enumerate all active tasks as a normal non-admin user
curl -s -H "Authorization: Bearer <USER_B_TOKEN>" http://<open-webui-host>/api/tasks- Stop a task that does not belong to that user
curl -s -X POST -H "Authorization: Bearer <USER_B_TOKEN>" http://<open-webui-host>/api/tasks/stop/<FOREIGN_TASK_ID>Impact
Type of vulnerability: broken object-level authorization affecting a global runtime control-plane endpoint.
Who is impacted:
- all users in a multi-user Open WebUI deployment
- any user currently running a background task, especially chat generation tasks
- administrators indirectly, because normal users can disrupt system-wide usage without admin privileges
Direct impact:
- cross-user task ID disclosure
- cross-user task cancellation
Practical impact:
- interruption of long-running chat responses
- interruption of background indexing or ingestion tasks associated with shared runtime jobs
- one ordinary authenticated low-privilege user can continuously poll
/api/tasksand immediately cancel every newly created active task - with a simple loop or script, this becomes a practical persistent denial-of-service against chat usage for all users on the instance
- in a multi-user deployment, normal users may be unable to complete any chat generation while the attacker continues polling and cancelling tasks
Why severity is meaningful:
- privileges required: low, only an authenticated non-admin account
- scope: cross-user
- impact class: integrity and availability
- exploitation complexity: low once logged in
This is not full account takeover or privilege escalation, but it enables platform-wide operational disruption from a low-privilege account. In practice, sustained exploitation can make chat functionality effectively unusable for other users on the system.
Resolution
Fixed in commit e7ff4768f (#23454, "Add ownership checks to global task endpoints"), first released in v0.9.0 (Apr 2026).
The fix takes a simpler approach than per-task ownership tracking, which would have required a schema change to attribute every task to a user_id:
GET /api/tasksandPOST /api/tasks/stop/{task_id}are restricted to admin-only viaDepends(get_admin_user). Cross-user enumeration and termination are no longer reachable from a non-admin account.- A new scoped
POST /api/tasks/chat/{chat_id}/stopendpoint covers the legitimate non-admin use case (a user stopping their own in-progress generation), reusing the same chat-ownership check the existingGET /api/tasks/chat/{chat_id}already enforces.
CVE-2025-63681 was a prior disclosure of the same authorization gap against v0.6.33; the fix in v0.9.0 also resolves that.
Users on >= 0.9.0 are not affected.
AnalysisAI
Broken object-level authorization in Open WebUI allows any authenticated low-privilege user to enumerate and terminate background tasks belonging to other users via GET /api/tasks and POST /api/tasks/stop/{task_id}. Attackers can disrupt system-wide chat generation and background processing by continuously canceling active tasks across the multi-user instance. Publicly available exploit code exists. Vendor-released patch in v0.9.0 restricts global task endpoints to admin-only and introduces a scoped /api/tasks/chat/{chat_id}/stop endpoint for legitimate user-owned task termination. CVSS 7.1 (AV:N/AC:L/PR:L/UI:N) reflects network-accessible, low-complexity exploitation requiring only authenticated low-privilege access, with high availability impact and low confidentiality impact from task enumeration.
Technical ContextAI
Open WebUI is a Python-based web interface for LLM chat interactions, often deployed in multi-user environments with Redis-backed task management. The vulnerability stems from CWE-862 (Missing Authorization) in FastAPI route handlers that enforce only authentication (get_verified_user) without object-level authorization checks. The /api/tasks and /api/tasks/stop/{task_id} endpoints in backend/open_webui/main.py operate on a global Redis-backed task namespace (REDIS_TASKS_KEY) without verifying task ownership. Task metadata lacks user_id or chat_id attribution, so the stop_task() helper in backend/open_webui/tasks.py accepts raw task_id strings and performs operations without cross-referencing the caller's identity. This contrasts with the existing scoped GET /api/tasks/chat/{chat_id} endpoint, which correctly validates chat ownership before returning task IDs. The fix in commit e7ff4768f restricts global endpoints to admin-only (get_admin_user) and adds a new POST /api/tasks/chat/{chat_id}/stop endpoint with ownership validation, avoiding schema changes while closing the authorization gap.
RemediationAI
Upgrade Open WebUI to version 0.9.0 or later, released April 2026 per vendor advisory (https://github.com/open-webui/open-webui/releases/tag/v0.9.0). The fix in PR #23454 (commit e7ff4768f) restricts GET /api/tasks and POST /api/tasks/stop/{task_id} to admin-only access via get_admin_user dependency, preventing low-privilege cross-user task enumeration and termination. A new scoped endpoint POST /api/tasks/chat/{chat_id}/stop allows non-admin users to stop only their own chat-associated tasks, reusing existing chat ownership validation logic. Users on v0.9.0 or later are not affected. For deployments unable to upgrade immediately, implement network-layer access controls to restrict /api/tasks/* routes to admin IP ranges only, or apply an API gateway rule rejecting non-admin requests to these paths. Note this workaround breaks legitimate admin task management via API and does not provide per-user task control - full remediation requires the v0.9.0 upgrade. No vendor-supplied temporary mitigation preserves non-admin usability; compensating controls impose admin-only operational restrictions. Verify patch application by confirming non-admin authenticated requests to GET /api/tasks return 403 Forbidden, and POST /api/tasks/chat/{owned_chat_id}/stop succeeds while POST /api/tasks/stop/{arbitrary_task_id} returns 403.
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i
UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific
Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user
Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.
A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab
An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability
An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4
goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30608
GHSA-8jjp-r2w2-4v22