Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The API /api/v1/notes/{note_id} endpoint lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or enumerating UUIDs. This results in unauthorized disclosure of potentially sensitive or private user data.
Details
- if notes is enabled from UI (Settings >> General >> Features >> Notes (Beta))
- From API, attacker can access other user notes
- if notes is disabled from UI (Settings >> General >> Features >> Notes (Beta))
- Then attacker can enable the notes from /api/config and access other user notes
PoC
- Step 1: Log in to the application as a valid user (User A).
- Step 2: Intercept or inspect the response from the endpoint GET /api/config.
- Step 3: Observe the field "enable_notes": false in the JSON response.
- Step 4: Manually change "enable_notes" to true using browser DevTools or by intercepting and modifying the response via a proxy like Burp Suite. (Please note, the occurrence of this API comes twice, hence modification needs to be made twice as well.)
- Step 5: Observe the loaded frontend application; the previously hidden notes form will now be visible.
- Step 6: Again, click on any note, intercept the request, and Replace the note_id in the URL with a different note ID known to belong to another user (e.g., by guessing or bruteforcing).
- Step 7: Send the modified request while remaining logged in as User A.
- Step 8: Observe that the server returns the content of another user's note, confirming unauthorized access.
Impact
- Unauthorized access to user-created notes
- Possible exposure of confidential or sensitive uploaded data
- Violation of user privacy and data isolation
- High risk of legal or compliance breaches in regulated environments
Resolution
Fixed in commit de3317e26, first released in v0.8.11 (Mar 2026). All per-id note endpoints (GET /api/v1/notes/{id}, POST /api/v1/notes/{id}/update, POST /api/v1/notes/{id}/access/update, deletion) now enforce ownership: the handler fetches the note, then requires the caller to be admin, the note owner, or have an AccessGrants grant for the appropriate permission (read for retrieval, write for mutation). A non-owner with no grant receives 403.
Users on >= 0.8.11 are not affected.
AnalysisAI
Open WebUI versions prior to 0.8.11 allow authenticated users to access notes belonging to other users via Indirect Object Reference (IDOR) in the /api/v1/notes/{note_id} endpoint, enabling unauthorized disclosure of potentially sensitive private data. The vulnerability is exploitable both when the notes feature is enabled in the UI and when disabled but re-enabled via /api/config endpoint manipulation, requiring only valid user authentication and UUID enumeration or guessing.
Technical ContextAI
Open WebUI is a Python-based web application (pip/open-webui) that provides a notes feature accessible through REST API endpoints. The /api/v1/notes/{note_id} endpoint lacks proper authorization checks and fails to verify that the authenticated user is the owner of or has explicit access grants to the requested note before returning its content. The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), a form of Insecure Direct Object Reference (IDOR). The backend does not validate ownership or access permissions before serving note content, relying instead on client-side hiding (via the enable_notes flag in /api/config) which can be bypassed by direct API manipulation. The fix enforces ownership validation by checking if the caller is an admin, the note owner, or holds an AccessGrants entry with appropriate read/write permissions before returning any note data.
RemediationAI
Vendor-released patch: Upgrade to Open WebUI version 0.8.11 or later immediately. This version enforces ownership and permission checks on all per-id note endpoints via the AccessGrants mechanism and admin/owner role validation. For organizations unable to upgrade immediately, disable the notes feature entirely via the Settings UI and block or monitor direct API access to /api/v1/notes/* endpoints using a Web Application Firewall or API gateway. Implement request-level authentication logging to detect enumeration attempts (sequential UUID access patterns in /api/v1/notes/ requests). Since the /api/config endpoint can be manipulated in-flight via client-side proxies, consider server-side enforcement of feature flags that cannot be overridden by client responses. See vendor advisory at https://github.com/open-webui/open-webui/security/advisories/GHSA-x3qm-p8hr-3c3h and patch commit https://github.com/open-webui/open-webui/commit/de3317e26bb67a2a7ea015a183bbd1d369880ebd.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30647
GHSA-x3qm-p8hr-3c3h