CVE-2026-45349 open-webui CVE debrief

Who should care

Organizations running self-hosted Open WebUI instances for internal AI workloads, particularly those with multi-user deployments handling sensitive or regulated data. Security teams responsible for API authorization controls and privacy compliance officers concerned with conversation data segregation between users.

Technical summary

The /api/chat/completions endpoint in Open WebUI before 0.9.0 fails to validate that the authenticated user owns the Chat ID specified in the request. An attacker with a valid API key can enumerate or guess Chat IDs to access arbitrary user conversations. The vulnerability requires network access and valid authentication but no user interaction. Confidentiality impact is rated HIGH due to exposure of private conversation data; integrity impact is LOW as conversations can be continued but not necessarily modified in place.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Open WebUI to version 0.9.0 or later to remediate this vulnerability
• Review API access logs for suspicious /api/chat/completions requests where the authenticated user and Chat ID owner differ
• Implement additional authorization checks at the application layer to validate Chat ID ownership before processing completion requests
• Consider rotating API keys for users if unauthorized conversation access is suspected
• Monitor for anomalous cross-user conversation access patterns in authentication logs

Evidence notes

Vulnerability confirmed via GitHub Security Advisory GHSA-gfm2-xm6c-37qc with exploit and mitigation details. CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N yields score 7.1 (HIGH). Affected versions: all versions prior to 0.9.0 per CPE criteria.

Official resources