PT-2026-41169 · Unknown · Open-Webui
Published
2026-05-09
·
Updated
2026-05-16
·
CVE-2026-45316
CVSS v2.0
4.0
Medium
| Vector | AV:N/AC:L/Au:S/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Open WebUI versions prior to 0.9.3
Description
The "POST /api/v1/notes/{id}/pin" endpoint performs a write operation by toggling the
is pinned field but incorrectly validates only for read permission. This allows users who have read-only access to a shared note to pin or unpin it, effectively modifying the state of the note without the required write authorization. This action is visible to the note owner and other users with access.Recommendations
Update to version 0.9.3.
Exploit
Fix
LPE
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Open-Webui