Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
A user can modify another user's model even if its visibility is set to Private. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open WebUI 0.5.4.
Details / PoC
The user Victim created a private model with the visibility set to private: !grafik
The user Attacker can edit this model using the following POST request:
POST /api/v1/models/model/update?id=aaabraaa HTTP/2
Host: domain.local
//Some headers removed
Te: trailers
{"id":"aaabraaa","base_model_id":"gpt-4o-POC","name":"testmodel","meta":{"profile_image_url":"/static/favicon.png","description":"","capabilities":{"vision":true,"usage":false,"citations":true},"suggestion_prompts":null,"tags":[],"toolIds":["test"]},"params":{},"user_id":"565c82e6-083f-42bb-bf0f-a4e214cfb9ad","access_control":{"read":{"group_ids":[],"user_ids":[]},"write":{"group_ids":[],"user_ids":[]}},"is_active":true,"updated_at":1737314575,"created_at":1737121281}Request / Response !grafik
Impact
A user can modify another user's model even if its visibility is set to Private. By changing the access permissions during editing, unauthorized access can be gained.
AnalysisAI
Open WebUI fails to authorize model update requests, allowing authenticated users to modify private models belonging to other users and alter their access controls. Tested on version 0.5.4, this broken access control vulnerability affects all versions up to 0.5.6 and is exploitable via a direct POST request to the /api/v1/models/model/update endpoint without requiring special privileges beyond basic authentication.
Technical ContextAI
Open WebUI is a Python-based web application (pip package) for managing AI models and interactions. The vulnerability exists in the model update API endpoint (/api/v1/models/model/update), which accepts a model ID parameter and JSON payload containing model configuration, access control rules, and metadata. The root cause is a missing authorization check (CWE-285: Improper Authorization) in the backend handler for this endpoint. The application does not validate that the authenticated user issuing the update request is the owner of the target model before permitting modifications. The access_control object within the payload specifies read and write permissions by user_id and group_id, but since the authorization check is absent, any authenticated user can submit an update for any model ID they discover, effectively gaining the ability to reconfigure visibility and permissions of models created by other users.
RemediationAI
Upgrade to Open WebUI version 0.5.7 or later, which includes the authorization check fix. For organizations unable to immediately upgrade, implement network-level access controls restricting access to the /api/v1/models/model/update endpoint to trusted network segments or require additional authentication layers (e.g., IP whitelisting, reverse proxy authentication). Audit existing model configurations and access controls to detect unauthorized modifications. Review audit logs for POST requests to /api/v1/models/model/update with user_id values not matching the authenticated requester. No alternative workaround configuration is available; upgrading is the definitive remediation. The trade-off of network restriction is reduced functionality for legitimate users outside the trusted segment.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30650
GHSA-gm54-m39w-grjp