Main Vulnerability Database Vulnerabilities #VU130237

Improper Authorization in Open WebUI - #VU130237

Published: May 6, 2026

Vulnerability identifier: #VU130237

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-285

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Open WebUI

Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote attacker to access authenticated API functionality and disclose limited information, modify limited data, or affect availability.

The vulnerability exists due to improper authorization in authenticated API endpoints when handling requests with a valid JWT issued to a newly registered pending account. A remote attacker can sign up for an account and use the returned token to access endpoints intended for verified users to access authenticated API functionality and disclose limited information, modify limited data, or affect availability.

Only deployments with new sign-ups enabled are exposed to registration-based exploitation, and pending accounts are treated as authenticated users by the API despite client-side restrictions.

Remediation

Install security update from vendor's website.

Improper Authorization in Open WebUI - #VU130237

Detailed vulnerability description

Remediation

Sources

Please verify you're human