PatchSiren cyber security CVE debrief
CVE-2026-45339 open-webui CVE debrief
Open WebUI versions prior to 0.9.0 contain an authorization bypass vulnerability in API key endpoint restrictions. When administrators configure API keys with restricted endpoint access, the restriction is properly enforced for requests using the `Authorization: Bearer sk-...` header format, returning HTTP 403 Forbidden. However, identical API keys submitted via the `x-api-key` header bypass these restrictions entirely, allowing authenticated access to restricted endpoints including `/api/v1/messages`, with full model invocation and response generation. This flaw represents a case of inconsistent authorization enforcement across authentication pathways (CWE-863). The vulnerability was disclosed on 2026-05-15 and last modified on 2026-05-19. Organizations running affected versions should upgrade to Open WebUI 0.9.0 or later to remediate this issue.
- Vendor
- open-webui
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-19
Who should care
Organizations self-hosting Open WebUI for offline AI operations, particularly those relying on API key endpoint restrictions for access control or compliance purposes.
Technical summary
The vulnerability stems from incomplete authorization logic that validates endpoint restrictions for Bearer token authentication but fails to apply identical checks when the same API key is presented via the x-api-key header. This allows privilege escalation where restricted API keys gain unauthorized access to blocked endpoints. The fix in version 0.9.0 unifies authorization enforcement across both authentication pathways.
Defensive priority
medium
Recommended defensive actions
- Upgrade Open WebUI to version 0.9.0 or later to remediate the authorization bypass vulnerability.
- Review API key configurations and access logs for unauthorized endpoint access via x-api-key header prior to upgrade.
- Verify that endpoint restrictions are consistently enforced across all authentication header formats after upgrading.
- Consider implementing additional network-layer controls or API gateway policies to enforce endpoint restrictions as defense in depth.
Evidence notes
Vendor advisory confirms bypass mechanism and fix version; NVD analysis confirms CVSS 3.1 vector and affected version range.
Official resources
-
CVE-2026-45339 CVE record
CVE.org
-
CVE-2026-45339 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
2026-05-15T20:16:48.693Z