CVE-2026-45387 open-webui CVE debrief

Who should care

Organizations running self-hosted Open WebUI instances with multi-user deployments, particularly those using system prompts containing proprietary business logic, safety configurations, or other confidential operational parameters. Administrators who have configured group-based model sharing should prioritize this update.

Technical summary

Open WebUI is a self-hosted AI platform. In versions before 0.9.5, the permission model does not adequately separate model usage rights from system prompt visibility. When a group is granted read access to a model for usage purposes, members of that group can also retrieve the model's system prompt through normal API interactions. System prompts often contain proprietary instructions, safety guidelines, or configuration parameters that operators consider confidential. The fix in 0.9.5 implements proper authorization checks to prevent unauthorized system prompt access while preserving intended model usage capabilities.

Defensive priority

medium

Recommended defensive actions

• Upgrade Open WebUI to version 0.9.5 or later to remediate this vulnerability
• Review existing model permissions and group assignments to identify potentially exposed system prompts
• Audit access logs for unauthorized system prompt access prior to patching
• Consider implementing additional access controls for sensitive system prompts independent of model usage permissions
• Monitor for future security advisories from the Open WebUI project

Evidence notes

The vulnerability is confirmed by the vendor security advisory (GHSA-h2cw-7qw9-56xr) and analyzed in the NVD. CPE criteria confirm affected versions are all releases prior to 0.9.5. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) is identified as the weakness type.

Official resources