PatchSiren cyber security CVE debrief
CVE-2026-54006 open-webui CVE debrief
CVE-2026-54006 is a medium-severity vulnerability in Open WebUI, a self-hosted artificial intelligence platform. The vulnerability exists in the POST /api/v1/calendars/events/{event_id}/update endpoint, which fails to validate the destination calendar_id supplied in the request body. This allows a regular user-role account to create an event in their own calendar and immediately move it into any other user's calendar whose ID they know, bypassing the authorization check performed by the create_event function. The vulnerability is fixed in version 0.9.6 of Open WebUI. Open WebUI is a self-hosted AI platform designed to operate entirely offline.
- Vendor
- open-webui
- Product
- Unknown
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-23
- Original CVE updated
- 2026-06-25
- Advisory published
- 2026-06-23
- Advisory updated
- 2026-06-25
Who should care
Administrators and users of Open WebUI, especially those with multi-user environments, should be aware of this vulnerability. A regular user with knowledge of another user's calendar ID can exploit this vulnerability to manipulate events in that user's calendar. Therefore, users with sensitive or shared calendars should take immediate action to update their Open WebUI installation.
Technical summary
The vulnerability in Open WebUI arises from insufficient validation in the POST /api/v1/calendars/events/{event_id}/update endpoint. Specifically, the endpoint checks if the caller has write access to the calendar the event currently belongs to but does not verify the destination calendar_id provided in the request body. As a result, an attacker with a regular user-role account can move an event from their own calendar into any other user's calendar, provided they know the ID of the target calendar. This bypasses the authorization checks that are correctly enforced when creating new events. The issue is addressed in Open WebUI version 0.9.6.
Defensive priority
Defenders should prioritize updating Open WebUI to version 0.9.6 or later. In the interim, monitoring for unusual calendar event modifications and restricting calendar IDs that can be targeted by regular users may help mitigate the risk.
Recommended defensive actions
- Update Open WebUI to version 0.9.6 or later.
- Monitor for unusual patterns of calendar event modifications.
- Restrict the ability of regular users to specify arbitrary calendar IDs for event moves.
- Implement additional logging and monitoring for calendar-related activities.
- Review and update access controls for calendar management.
Evidence notes
The CVE-2026-54006 vulnerability is confirmed by the CVE and NVD records. The vulnerability allows for unauthorized manipulation of calendar events by regular users. The fix is included in Open WebUI version 0.9.6. Users should refer to the official CVE record and NVD details for further information.
Official resources
-
CVE-2026-54006 CVE record
CVE.org
-
CVE-2026-54006 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
This article is AI-assisted and based on the supplied source corpus.