Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a user just needs to use the API endpoint: /api/chat/completions with their own API key (generated in OWUI) and the Chat ID of another user to continue the conversation of the other user. This vulnerability is fixed in 0.9.0.
Published: 2026-05-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open WebUI allows any authenticated user to invoke the /api/chat/completions endpoint with an arbitrary Chat ID belonging to another user, thereby continuing that user's conversation without proper authorization. The vulnerability is a broken access control mechanism (CWE‑639). An attacker could read or write messages to the target conversation, potentially exposing sensitive content. The impact is a confidentiality and integrity breach of chat data; it does not permit code execution or modification of system configuration.

Affected Systems

The flaw exists in all self‑hosted Open WebUI releases prior to version 0.9.0. Any deployment of open‑webui:open‑webui that has not applied the 0.9.0 update is vulnerable. The affected systems are the Open WebUI application, which is typically installed on a web server and accessed via HTTP(S).

Risk and Exploitability

The CVSS score of 7.1 classifies the vulnerability as High. Because the EPSS score is not available, the current probability of exploitation is uncertain, but the fact that it is not listed in KEV indicates it has not yet been widely exploited. Based on the description, the attack vector requires the attacker to possess any valid authenticated API key. Once authenticated, the attacker can immediately access any other user’s chat data by specifying the target chat ID, without further authorization checks.

Generated by OpenCVE AI on May 15, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open WebUI to version 0.9.0 or later to address the broken access control flaw.
  • Revoke any API keys that have been shared or may have been exposed to prevent unauthorized use of the /api/chat/completions endpoint.
  • Implement or enforce stricter role‑based access controls on chat data, ensuring that only the owning user or explicitly authorized users can access a given chat ID.

Generated by OpenCVE AI on May 15, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gfm2-xm6c-37qc Open WebUI has Broken Access Control for Completions API
History

Fri, 15 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Fri, 15 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a user just needs to use the API endpoint: /api/chat/completions with their own API key (generated in OWUI) and the Chat ID of another user to continue the conversation of the other user. This vulnerability is fixed in 0.9.0.
Title Open WebUI: Broken Access Control for Completions API
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T19:20:37.264Z

Reserved: 2026-05-11T21:40:08.177Z

Link: CVE-2026-45349

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-15T20:16:48.823

Modified: 2026-05-15T20:16:48.823

Link: CVE-2026-45349

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T21:15:08Z

Weaknesses