Main Vulnerability Database Vulnerabilities #VU130959

Improper access control in Open WebUI - #VU130959

Published: May 11, 2026

Vulnerability identifier: #VU130959

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Open WebUI

Software vendor:
Open WebUI

Description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the /api/v1/models/model endpoint when handling requests for model details by id. A remote user can send a request for a shared model identifier to disclose sensitive information.

The issue exposes the model's system prompt to users who were granted read access for model use.

Remediation

Install security update from vendor's website.

External links

https://github.com/open-webui/open-webui/security/advisories/GHSA-h2cw-7qw9-56xr

Improper access control in Open WebUI - #VU130959

Description

Remediation

External links

Please verify you're human