Open WebUI is a self-hosted artificial intelligence platform that runs entirely offline. Prior to version 0.9.6, the POST /api/v1/calendars/events/{event_id}/update endpoint validates that the caller has write access to the calendar the event currently belongs to, but it does not validate the destination calendar_id supplied in the request body. The model layer then persists the new calendar_id unconditionally, enabling a regular user-role account to create an event in their own calendar and immediately move it into any other user's calendar whose ID they know. This bypasses the authorization check that create_event correctly performs, allowing an attacker to write events into another user's calendar. The flaw is fixed in 0.9.6.

The vulnerability affects installations of the open-webui:open-webui package running any version prior to 0.9.6. The Open WebUI platform is a self-hosted artificial intelligence system that operates offline, and the issue resides in the /api/v1/calendars/events/{event_id}/update endpoint. Regular user-role accounts on these affected releases can exploit the flaw to write data into another user's calendar whose ID is known.

The CVSS score of 4.3 indicates moderate severity, and no EPSS score is available. The vulnerability is not listed in CISA's KEV catalog. Attackers must have access to the self-hosted instance and knowledge of the target calendar’s identifier, which is not protected by the application. The flaw bypasses standard authorization checks, allowing an authenticated user to modify another user's calendar entries. While no external exploitation has been documented, the internal nature of the API and the moderate CVSS score suggest that the likelihood of use is moderate for compromised or privileged internal environments.