CVE-2026-45399 open-webui CVE debrief

Who should care

Organizations running multi-user Open WebUI deployments prior to 0.9.0, particularly those with untrusted or broadly provisioned user accounts. System administrators responsible for AI platform availability and security teams monitoring for insider threats or lateral movement in self-hosted AI infrastructure.

Technical summary

The vulnerability stems from missing authorization checks on two REST endpoints: GET /api/tasks for listing active background tasks and POST /api/tasks/stop/{task_id} for terminating specific tasks. Authenticated users can access these endpoints regardless of task ownership, violating the principle of least privilege. The attack requires only network access and valid low-privilege credentials, with no user interaction needed. Successful exploitation results in availability impact (task cancellation) and limited information disclosure (task enumeration). The fix in version 0.9.0 implements proper user-scoped authorization for task operations.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Open WebUI to version 0.9.0 or later to obtain the authorization fix
• Review and restrict user registration policies to limit untrusted authenticated access
• Monitor API logs for unusual patterns of task enumeration or termination requests
• Implement network segmentation to limit exposure of Open WebUI administrative interfaces
• Validate that background task management endpoints enforce user-scoped authorization after patching

Evidence notes

Authorization bypass confirmed via vendor security advisory. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H. CPE: cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:* versions before 0.9.0.

Official resources