Main Vulnerability Database Vulnerabilities #VU130242

Authorization bypass through user-controlled key in Open WebUI - #VU130242

Published: May 6, 2026

Vulnerability identifier: #VU130242

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Open WebUI

Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information and modify other users' memories.

The vulnerability exists due to improper access control in the memories API when handling requests to memory query, update, and delete endpoints. A remote user can send crafted API requests using another user's memory identifier to disclose sensitive information and modify other users' memories.

The issue can expose memory contents and associated user ID values, and deleted memories can be restored through the update endpoint.

Remediation

Install security update from vendor's website.

Sources

https://github.com/open-webui/open-webui/security/advisories/GHSA-hmjq-crxp-7rjw

Authorization bypass through user-controlled key in Open WebUI - #VU130242

Detailed vulnerability description

Remediation

Sources

Please verify you're human