Main Vulnerability Database Vulnerabilities #VU130168

Improper access control in Open WebUI - #VU130168

Published: May 5, 2026

Vulnerability identifier: #VU130168

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Open WebUI

Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information and modify access permissions.

The vulnerability exists due to improper access control in the channel creation and update endpoints when handling access_grants during channel creation or update requests. A remote user can submit crafted access grants to disclose sensitive information and modify access permissions.

Exploitation requires an account that can create group channels or ownership of an existing channel, and restrictive sharing permissions must be configured for regular users.

Remediation

Install security update from vendor's website.

Sources

https://github.com/open-webui/open-webui/security/advisories/GHSA-7rjh-px4v-5w55

Improper access control in Open WebUI - #VU130168

Detailed vulnerability description

Remediation

Sources

Please verify you're human