Skip to main content

Open WebUI EUVDEUVD-2026-30650

| CVE-2026-45345 MEDIUM
Improper Authorization (CWE-285)
2026-05-14 https://github.com/open-webui/open-webui GHSA-gm54-m39w-grjp
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 21:20 vuln.today
Analysis Generated
May 14, 2026 - 21:20 vuln.today
CVE Published
May 14, 2026 - 20:21 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Summary

A user can modify another user's model even if its visibility is set to Private. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open WebUI 0.5.4.

Details / PoC

The user Victim created a private model with the visibility set to private: !grafik

The user Attacker can edit this model using the following POST request:

POST /api/v1/models/model/update?id=aaabraaa HTTP/2
Host: domain.local
//Some headers removed
Te: trailers

{"id":"aaabraaa","base_model_id":"gpt-4o-POC","name":"testmodel","meta":{"profile_image_url":"/static/favicon.png","description":"","capabilities":{"vision":true,"usage":false,"citations":true},"suggestion_prompts":null,"tags":[],"toolIds":["test"]},"params":{},"user_id":"565c82e6-083f-42bb-bf0f-a4e214cfb9ad","access_control":{"read":{"group_ids":[],"user_ids":[]},"write":{"group_ids":[],"user_ids":[]}},"is_active":true,"updated_at":1737314575,"created_at":1737121281}

Request / Response !grafik

Impact

A user can modify another user's model even if its visibility is set to Private. By changing the access permissions during editing, unauthorized access can be gained.

AnalysisAI

Open WebUI fails to authorize model update requests, allowing authenticated users to modify private models belonging to other users and alter their access controls. Tested on version 0.5.4, this broken access control vulnerability affects all versions up to 0.5.6 and is exploitable via a direct POST request to the /api/v1/models/model/update endpoint without requiring special privileges beyond basic authentication.

Technical ContextAI

Open WebUI is a Python-based web application (pip package) for managing AI models and interactions. The vulnerability exists in the model update API endpoint (/api/v1/models/model/update), which accepts a model ID parameter and JSON payload containing model configuration, access control rules, and metadata. The root cause is a missing authorization check (CWE-285: Improper Authorization) in the backend handler for this endpoint. The application does not validate that the authenticated user issuing the update request is the owner of the target model before permitting modifications. The access_control object within the payload specifies read and write permissions by user_id and group_id, but since the authorization check is absent, any authenticated user can submit an update for any model ID they discover, effectively gaining the ability to reconfigure visibility and permissions of models created by other users.

RemediationAI

Upgrade to Open WebUI version 0.5.7 or later, which includes the authorization check fix. For organizations unable to immediately upgrade, implement network-level access controls restricting access to the /api/v1/models/model/update endpoint to trusted network segments or require additional authentication layers (e.g., IP whitelisting, reverse proxy authentication). Audit existing model configurations and access controls to detect unauthorized modifications. Review audit logs for POST requests to /api/v1/models/model/update with user_id values not matching the authenticated requester. No alternative workaround configuration is available; upgrading is the definitive remediation. The trade-off of network restriction is reduced functionality for legitimate users outside the trusted segment.

Share

EUVD-2026-30650 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy