PatchSiren cyber security CVE debrief
CVE-2026-45345 open-webui CVE debrief
Open WebUI versions prior to 0.5.7 contain an insecure direct object reference vulnerability where authenticated users can modify another user's private models by manipulating access permission parameters during the edit operation. The flaw stems from missing authorization checks when processing model updates, allowing attackers to escalate privileges and gain unauthorized access to models explicitly marked as Private. This represents a confidentiality and integrity risk in multi-user deployments where model isolation is expected. The vulnerability was disclosed via GitHub Security Advisory and patched in version 0.5.7 released May 2026. No known exploitation in the wild has been reported. Organizations should prioritize upgrading to 0.5.7 or later and review access logs for anomalous model modifications between deployment and patch application.
- Vendor
- open-webui
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Organizations running multi-user Open WebUI deployments with sensitive or proprietary AI models; security teams managing self-hosted AI infrastructure; compliance officers responsible for data isolation in AI platforms; DevOps teams maintaining Open WebUI instances with external user access
Technical summary
The vulnerability exists in Open WebUI's model editing functionality where the application fails to validate that the requesting user has ownership or explicit authorization to modify the target model. When a user submits a model update request, the application accepts permission changes without verifying the requester's relationship to the model. This allows any authenticated user to alter the visibility settings of another user's private models, effectively converting private resources to accessible states. The attack requires low complexity network access and valid user credentials, with no user interaction required. The integrity impact is rated high per CVSS due to unauthorized modification capability, while confidentiality and availability impacts are not directly scored in the base metric. The fix in 0.5.7 implements proper authorization checks before processing model permission updates.
Defensive priority
medium
Recommended defensive actions
- Upgrade Open WebUI to version 0.5.7 or later to remediate the authorization bypass vulnerability
- Review model access logs and audit trails for unauthorized modifications to private models prior to patching
- Verify that model ownership and visibility controls enforce proper authorization checks after upgrade
- Implement principle of least privilege for user accounts with model editing capabilities
- Monitor for anomalous API requests to model update endpoints that include permission parameter changes
Evidence notes
NVD analyzed status; GitHub Security Advisory GHSA-gm54-m39w-grjp confirms vendor acknowledgment and fix in 0.5.7; CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N aligns with description of unauthorized modification capability; CWE-285 (Improper Authorization) classified as secondary weakness source
Official resources
-
CVE-2026-45345 CVE record
CVE.org
-
CVE-2026-45345 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
2026-05-15