Authorization bypass through user-controlled key in Open WebUI - #VU131117
Published: May 12, 2026
Vulnerability identifier: #VU131117
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Open WebUI
Affected software:
Open WebUI
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the /api/v1/notes/{note_id} endpoint when handling requests for note identifiers. A remote user can modify or enumerate note UUIDs to disclose sensitive information.
Exploitation requires the notes feature to be enabled, or for the user to expose the notes interface by modifying the /api/config response in the client.
Remediation
Install security update from vendor's website.