CVE-2026-45339

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0

Description An issue exists where administrators' restrictions on API endpoint access can be bypassed. While requests using the Authorization: Bearer header are correctly blocked when restricted from the '/api/v1/messages' endpoint, providing the same API key via the x-api-key header allows the request to be authenticated and processed. This occurs because the endpoint restriction check is only applied to keys presented via the Authorization header, whereas the x-api-key header, used for Anthropic-compatible API paths, skips this check while remaining valid for authentication. Consequently, any API key can access any endpoint regardless of its configured restrictions.

Recommendations Update to version 0.9.0.