Authorization bypass through user-controlled key in Open WebUI - CVE-2026-54006
Published: June 30, 2026
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote user to modify another user's calendar contents.
The vulnerability exists due to authorization bypass through a user-controlled key in the POST /api/v1/calendars/events/{event_id}/update endpoint when updating an event's destination calendar_id. A remote user can send a crafted update request to modify another user's calendar contents.
The issue is reachable in the default configuration with calendar features enabled, and exploitation requires knowledge of the destination calendar ID.