GHSA-H2CW-7QW9-56XR

Vulnerability from github – Published: 2026-05-14 20:26 – Updated: 2026-05-15 23:54
VLAI
Summary
Open WebUI: Sharing models for others to use (read permission) also exposes model details (system prompt leakage)
Details

Summary

When setting model permissions so that a group has read access to it, intending for other users to use it, those users also can read the model's system prompt.

However users may consider their system prompt confidential, so we consider this a security issue.

Compare https://genai.owasp.org/llmrisk/llm072025-system-prompt-leakage/ or prompt injections to get popular chatbots on the internet to reveal their prompt.

Details

We discovered that users can open the workspace model edit page /workspace/models/edit?id=notmymodel for models that do not appear in their workspace.

Saving is not possible, that permission check is correct.

On the API level:

  • /api/v1/models/model?id=notmymodel -> returns the model details, most importantly params.system
  • even though /api/v1/models/list does NOT contain the model since it checks for write permission.
  • /api/models contains the model correctly and does not reveal the system prompt.

It seems inconsistent that the REST API list does not contain an item, but if you know the id, you can access it anyway.

PoC

  • create model
  • give read permission to group with another user
  • other user can access /api/v1/models/model?id=notmymodel

Impact

System prommpt leakage

If this is intended behavior for the "read" permission, maybe there should be an additional "use" permission (which would be 99% of use cases of the read permission i believe).

Severity
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.4"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45387"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:26:03Z",
    "nvd_published_at": "2026-05-15T21:16:37Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nWhen setting model permissions so that a group has read access to it, intending for other users to use it, those users also can read the model\u0027s system prompt.\n\nHowever users may consider their system prompt confidential, so we consider this a security issue.\n\nCompare https://genai.owasp.org/llmrisk/llm072025-system-prompt-leakage/ or prompt injections to get popular chatbots on the internet to reveal their prompt.\n\n### Details\n\nWe discovered that users can open the workspace model edit page /workspace/models/edit?id=notmymodel for models that do not appear in their workspace.\n\nSaving is not possible, that permission check is correct.\n\nOn the API level:\n\n- ```/api/v1/models/model?id=notmymodel``` -\u003e returns the model details, most importantly params.system\n- even though ```/api/v1/models/list``` does NOT contain the model since it checks for write permission.\n- ```/api/models``` contains the model correctly and does not reveal the system prompt.\n\nIt seems inconsistent that the REST API list does not contain an item, but if you know the id, you can access it anyway.\n\n### PoC\n- create model\n- give read permission to group with another user\n- other user can access ```/api/v1/models/model?id=notmymodel```\n\n### Impact\nSystem prommpt leakage\n\nIf this is intended behavior for the \"read\" permission, maybe there should be an additional \"use\" permission (which would be 99% of use cases of the read permission i believe).",
  "id": "GHSA-h2cw-7qw9-56xr",
  "modified": "2026-05-15T23:54:25Z",
  "published": "2026-05-14T20:26:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-h2cw-7qw9-56xr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45387"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI: Sharing models for others to use (read permission) also exposes model details (system prompt leakage)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.