Main Vulnerability Database Vulnerabilities #VU130942

Improper Authorization in Open WebUI - #VU130942

Published: May 11, 2026

Vulnerability identifier: #VU130942

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-285

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Open WebUI

Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to modify another user's private model.

The vulnerability exists due to improper authorization in the model update function when handling POST requests to the model update endpoint. A remote user can send a crafted update request for another user's model to modify another user's private model.

By changing access permissions during editing, unauthorized access can be gained.

Remediation

Install security update from vendor's website.

Sources

https://github.com/open-webui/open-webui/security/advisories/GHSA-gm54-m39w-grjp

Improper Authorization in Open WebUI - #VU130942

Detailed vulnerability description

Remediation

Sources

Please verify you're human