Authorization bypass through user-controlled key in Open WebUI - CVE-2026-54015

 

Authorization bypass through user-controlled key in Open WebUI - CVE-2026-54015

Published: June 30, 2026


Vulnerability identifier: #VU135939
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-54015
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Open WebUI
Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information and delete prompt history entries.

The vulnerability exists due to authorization bypass through user-controlled key in prompt version-history endpoints when handling caller-supplied history IDs that are not bound to the authorized prompt. A remote user can supply a victim prompt history ID to read another user's prompt snapshots or delete another user's history entry to disclose sensitive information and delete prompt history entries.

Exploitation requires knowing or obtaining victim prompt history UUIDs. The delete impact is limited to version-history entries and does not destroy the active prompt row.


How to mitigate CVE-2026-54015

Install security update from vendor's website.

Sources