Skip to main content

Open WebUI EUVDEUVD-2026-30646

| CVE-2026-45351 MEDIUM
Information Exposure (CWE-200)
2026-05-14 https://github.com/open-webui/open-webui GHSA-jh9g-8jqw-m2qx
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 21:32 vuln.today
Analysis Generated
May 14, 2026 - 21:32 vuln.today
CVE Published
May 14, 2026 - 20:25 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Summary

_A regular user [non-admin] can view the system prompt of the model which is set by an admin._

Details

_When a regular user [non-admin] logs into the application, a http://IP:8080/api/models? web request is initiated by the application and in response, it reveals the system prompt of available models set by admin on models pages in workspace affecting the confidentiality of application_

Affected System

_Open WebUI v0.6.40 "main" branch_

Vulnerability Details and Advisory from OWASP

LLM07:2025 System Prompt Leakage - https://genai.owasp.org/llmrisk/llm072025-system-prompt-leakage/

PoC

_1. Regular User [Non-Admin] login on Open WebUI application._ _2. A series of web requests get generated by the application, and the http://IP:8080/api/models? is also gets generated by application ._ _3. The response of http://IP:8080/api/models? web request reveals the system prompt of all the available models which is set is by the admin on models pages in workspace._ <img width="940" height="352" alt="system prompt leak" src="https://github.com/user-attachments/assets/bd2c76f1-398f-4bc8-a8b2-5e14a768c560" />

Web Request

GET /api/models? HTTP/1.1 Host: localhost:8080 sec-ch-ua-platform: "Linux" authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjdmYjUxMmFhLTBmMTAtNDRkZi1iOWY1LThmNDg2MWFhNWFmOCIsImV4cCI6MTc2NjU2MjE5OH0.yJpavBynKItPQv76SMGKK012JIf29PVUv9sjuCDuRGQ Accept-Language: en-US,en;q=0.9 sec-ch-ua: "Chromium";v="141", "Not?A_Brand";v="8" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36 Accept: application/json Content-Type: application/json Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost:8080/ Accept-Encoding: gzip, deflate, br Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjdmYjUxMmFhLTBmMTAtNDRkZi1iOWY1LThmNDg2MWFhNWFmOCIsImV4cCI6MTc2NjU2MjE5OH0.yJpavBynKItPQv76SMGKK012JIf29PVUv9sjuCDuRGQ Connection: keep-alive

Impact

_1. System prompts can reveal the model instructions, providing an attackers with inside knowledge about the system capabilities and bypass restrictions._ _2. Attacker can perform content manipulation affecting the input/output of the model._

Details from MITRE ATLAS

Discover LLM System Information - https://atlas.mitre.org/techniques/AML.T0069 Discover LLM System Information: System Instruction Keywords - https://atlas.mitre.org/techniques/AML.T0069.001 Discover LLM System Information: System Prompt - https://atlas.mitre.org/techniques/AML.T0069.002

Recommendation

_1. The web response should not reveal system prompt and related internal/back-end details regarding the model to the regular user._ _2. Only the model name and non-sensitive details should be revealed to regular user and internal/back-end details should not be disclosed._

AnalysisAI

Open WebUI versions up to 0.8.8 expose admin-configured system prompts to authenticated regular (non-admin) users through the /api/models API endpoint, allowing information disclosure of sensitive model instructions and internal configuration details. The vulnerability requires valid user authentication but no administrative privileges, enabling any authenticated user to retrieve confidential system prompts via a simple HTTP GET request. This is confirmed actively exploited in production deployments with a publicly available proof-of-concept.

Technical ContextAI

Open WebUI is a web-based interface for large language models that provides multi-user access control via JWT bearer token authentication. The vulnerability stems from improper access control on the /api/models API endpoint (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor). The endpoint returns model metadata including the system_prompt field to all authenticated users regardless of role, without implementing role-based filtering to restrict sensitive fields to administrators only. The affected versions (pip/open-webui <= 0.8.8) fail to implement proper authorization checks, conflating authentication (verification of user identity via valid JWT token at PR:L) with authorization (verification of user role). The API endpoint should filter response payloads based on the authenticated user's role, stripping or redacting system_prompt and other backend configuration details from non-admin responses.

RemediationAI

Vendor-released patch: upgrade to Open WebUI v0.8.9 or later. Apply the fix immediately via pip upgrade (pip install --upgrade open-webui>=0.8.9) or re-pull the latest Docker image if using containerized deployment. The patch implements role-based response filtering on the /api/models endpoint, stripping system_prompt and other sensitive backend fields from non-admin user responses while preserving model name, description, and non-sensitive metadata. Immediate workaround pending upgrade: disable or restrict network access to the /api/models endpoint for non-admin users at the reverse proxy or API gateway level (e.g., nginx location rules or AWS API Gateway resource policies), though this may break client-side model listing features and is not recommended long-term. Alternative compensating control: implement strict network segmentation limiting client access to the Open WebUI instance to trusted networks only, reducing the pool of potential users who can obtain the leaked prompts, but this does not prevent insider threats from authenticated users. A second interim measure: rotate all system prompts and model configuration details in admin settings to remove any sensitive operational information, reducing the value of exposed prompts to attackers, though this does not eliminate the information disclosure itself. The recommended path is immediate patching; workarounds are temporary measures only.

More in Chrome

View all
CVE-2015-5122 CRITICAL POC
9.8 Jul 14

Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player

CVE-2016-5198 HIGH POC
8.8 Jan 19

V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac

CVE-2017-5070 HIGH POC
8.8 Oct 27

Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a

CVE-2016-1646 HIGH POC
8.8 Mar 29

The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do

CVE-2013-0758 CRITICAL POC
9.3 Jan 13

Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb

CVE-2017-5030 HIGH POC
8.8 Apr 24

Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.

CVE-2012-3993 CRITICAL POC
9.3 Oct 10

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi

CVE-2017-3823 HIGH POC
8.8 Feb 01

An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta

CVE-2014-8636 HIGH POC
7.5 Jan 14

The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with

CVE-2013-0757 CRITICAL POC
9.3 Jan 13

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi

CVE-2014-1510 CRITICAL POC
9.8 Mar 19

The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se

CVE-2015-5123 CRITICAL
9.8 Jul 14

Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13

Share

EUVD-2026-30646 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy