Authorization bypass through user-controlled key in Open WebUI - CVE-2026-54006

 

Authorization bypass through user-controlled key in Open WebUI - CVE-2026-54006

Published: June 30, 2026


Vulnerability identifier: #VU135946
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-54006
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Open WebUI
Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to modify another user's calendar contents.

The vulnerability exists due to authorization bypass through a user-controlled key in the POST /api/v1/calendars/events/{event_id}/update endpoint when updating an event's destination calendar_id. A remote user can send a crafted update request to modify another user's calendar contents.

The issue is reachable in the default configuration with calendar features enabled, and exploitation requires knowledge of the destination calendar ID.


How to mitigate CVE-2026-54006

Install security update from vendor's website.

Sources