PatchSiren cyber security CVE debrief
CVE-2026-45351 open-webui CVE debrief
A medium-severity information disclosure vulnerability in Open WebUI allows non-administrative users to view system prompts configured by administrators. The issue stems from the `/api/models` endpoint returning model configuration data—including system prompts—to authenticated regular users without proper access controls. This exposure occurs when any standard user logs into the application and the frontend initiates a request to enumerate available models. System prompts often contain sensitive instructions, behavioral constraints, or contextual data that administrators intend to keep confidential from end users. The vulnerability affects all versions prior to 0.8.9 and was addressed by implementing proper authorization checks on the API endpoint. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) reflects network accessibility, low attack complexity, low privileges required, and high confidentiality impact with no integrity or availability effects. The CWE-200 classification confirms this as an information exposure weakness. Organizations running self-hosted Open WebUI instances should prioritize upgrading to version 0.8.9 or later to prevent unauthorized disclosure of model configuration details.
- Vendor
- open-webui
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Organizations operating self-hosted Open WebUI instances with multiple user access tiers, particularly those using system prompts to enforce content policies, implement safety guardrails, or embed proprietary contextual instructions that should remain confidential from end users.
Technical summary
The `/api/models` API endpoint in Open WebUI versions before 0.8.9 fails to enforce administrative access controls when returning model metadata. Authenticated non-admin users receive complete model configuration objects including the `system` field containing administrator-defined system prompts. The frontend automatically triggers this request upon user login, making exposure passive and unavoidable for regular users. The fix in 0.8.9 implements authorization checks that filter sensitive fields based on user role or restrict endpoint access to administrative users only.
Defensive priority
medium
Recommended defensive actions
- Upgrade Open WebUI to version 0.8.9 or later to remediate the information disclosure vulnerability
- Review access logs for unauthorized `/api/models` endpoint access by non-administrative accounts prior to patching
- Audit model configurations to identify any system prompts that may have been exposed and rotate sensitive content if warranted
- Implement network segmentation or additional authentication layers for administrative Open WebUI instances until patching is complete
- Monitor for future security advisories from the Open WebUI project by subscribing to GitHub security notifications
Evidence notes
Vulnerability confirmed through vendor security advisory (GHSA-jh9g-8jqw-m2qx) with exploit details and mitigation guidance. NVD record establishes CPE criteria and CVSS scoring. Fix version 0.8.9 explicitly stated in advisory.
Official resources
-
CVE-2026-45351 CVE record
CVE.org
-
CVE-2026-45351 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
2026-05-15