Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI's prompt version-history endpoints authorize the prompt_id in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt (history_entry.prompt_id == prompt.id). This affects /api/v1/prompts/id/{prompt_id}/history/diff, /api/v1/prompts/id/{prompt_id}/update/version, and /api/v1/prompts/id/{prompt_id}/history/{history_id}. An authenticated user with access to any prompt they control, plus a victim prompt_history.id, can read or delete another user's private prompt history. This vulnerability is fixed in 0.9.6.
Published: 2026-06-23
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open WebUI is a self‑hosted artificial intelligence platform that operates entirely offline. In versions before 0.9.6, its prompt‑version history API endpoints validate the prompt ID supplied in the URL but then use a caller‑supplied history ID without verifying that the history record belongs to that prompt. Consequently, any authenticated user who has control over a prompt and can determine or guess a victim’s prompt_history.id can read or delete that user's private prompt history. This is an IDOR vulnerability (CWE‑639) compounded by insufficient authorization controls (CWE‑284).

Affected Systems

The flaw exists in the open‑webui:open‑webui product on all releases prior to version 0.9.6. Any self‑hosted installation running an older version is vulnerable.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. An attacker must first be authenticated and have ownership of at least one prompt, then acquire a victim’s history ID (which can be guessed or enumerated via API). Once these prerequisites are satisfied, the attacker can issue requests to read or delete the victim’s prompt history by hitting the exposed endpoints. The likely attack vector is an authenticated API request over the network; this is inferred from the description of the affected endpoints.

Generated by OpenCVE AI on June 24, 2026 at 10:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open WebUI to version 0.9.6 or newer to apply the strict access controls so users can only request history entries belonging to prompts they own; implement ownership validation in future versions or custom patches.
  • Monitor API usage for anomalous read or delete requests against prompt history and review logs for potential abuse.
  • Audit access logs to detect unauthorized read or delete actions and investigate any breaches.

Generated by OpenCVE AI on June 24, 2026 at 10:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4r4w-2wgp-w7cj Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion
History

Tue, 23 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI's prompt version-history endpoints authorize the prompt_id in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt (history_entry.prompt_id == prompt.id). This affects /api/v1/prompts/id/{prompt_id}/history/diff, /api/v1/prompts/id/{prompt_id}/update/version, and /api/v1/prompts/id/{prompt_id}/history/{history_id}. An authenticated user with access to any prompt they control, plus a victim prompt_history.id, can read or delete another user's private prompt history. This vulnerability is fixed in 0.9.6.
Title Open WebUI: Prompt history IDOR: unbound history_id allows cross-prompt read and deletion
Weaknesses CWE-284
CWE-639
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T16:44:57.526Z

Reserved: 2026-06-11T16:34:11.636Z

Link: CVE-2026-54015

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T11:00:13Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-639

    Authorization Bypass Through User-Controlled Key