CVE-2026-45387 - Vulnerability Details

- Open WebUI: Sharing models for others to use (read permission) also exposes model details (system prompt leakage)

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, when setting model permissions so that a group has read access to it, intending for other users to use it, those users also can read the model's system prompt. However users may consider their system prompt confidential, so this is considered a security issue. This vulnerability is fixed in 0.9.5.

Published: 2026-05-15

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Open WebUI versions prior to 0.9.5 can allow users with read access to a shared model to view the model's system prompt. This unintentionally exposes text that users may consider confidential, leading to an information disclosure vulnerability identified as CWE‑200. No exploitation of code or denial of service is possible; the impact is purely data leakage.

Affected Systems

The product affected is Open WebUI from the vendor open‑webui. All releases before 0.9.5 are vulnerable; the fix is included in version 0.9.5 and later.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium severity level. Exploitation requires that an attacker already has read permission to a shared model, so the attack vector is local to the platform's permission model. EPSS information is unavailable, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that widespread exploitation has not been reported. Overall, the risk is moderate, primarily due to potential disclosure of sensitive prompt data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

open-webui

affected

Version	Status	Constraints
`< 0.9.5`	affected	—

Configuration 1 [-]

cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Open-webui

100%

Version	Status	Scheme	Platform
`[0,0.9.5)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Open WebUI to version 0.9.5 or later, which contains the fix for the system prompt leakage.
If an upgrade cannot be performed immediately, restrict read permissions to only trusted or internal users and avoid sharing models that contain sensitive system prompts.
Validate that the system configuration does not expose the system prompt field to users with read access, and monitor forthcoming releases for additional security updates.

Generated by OpenCVE AI on May 15, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-h2cw-7qw9-56xr	Open WebUI: Sharing models for others to use (read permission) also exposes model details (system prompt leakage)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00026.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/open-webui/open-webui/security/advisories/GHSA-h2cw-7qw9-56xr

History

Tue, 19 May 2026 03:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openwebui Openwebui open Webui
CPEs		cpe:2.3:a:openwebui:open_webui::::::::
Vendors & Products		Openwebui Openwebui open Webui

Fri, 15 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Open-webui Open-webui open-webui
Vendors & Products		Open-webui Open-webui open-webui

Fri, 15 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 15 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, when setting model permissions so that a group has read access to it, intending for other users to use it, those users also can read the model's system prompt. However users may consider their system prompt confidential, so this is considered a security issue. This vulnerability is fixed in 0.9.5.
Title		Open WebUI: Sharing models for others to use (read permission) also exposes model details (system prompt leakage)
Weaknesses		CWE-200
References		https://github.com/open-webui/open-webui/security/advisories/GHSA-h2cw-7qw9-56xr
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Open-webui Open-webui

Openwebui Open Webui

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-15T20:32:02.012Z

Updated: 2026-05-15T21:08:29.508Z

Reserved: 2026-05-12T00:51:29.087Z

Link: CVE-2026-45387

Vulnrichment

Updated: 2026-05-15T21:08:18.979Z

NVD

Status : Analyzed

Published: 2026-05-15T21:16:37.177

Modified: 2026-05-19T03:05:44.803

Link: CVE-2026-45387

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-15T21:30:08Z

Weaknesses

CWE-200
Exposure of Sensitive Information to an Unauthorized Actor

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object