PT-2026-41179 · Unknown · Open-Webui
Published
2026-03-10
·
Updated
2026-05-15
·
CVE-2026-45349
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:S/C:C/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Open WebUI versions prior to 0.9.0
Description
An issue exists where a user can continue the conversation of another user if the target user's Chat ID is known. This occurs because the system fails to verify if the Chat ID matches the user who created it. An attacker can use the '/api/chat/completions' endpoint with their own API key and another user's Chat ID to access and extend private conversations, provided both users have access to the same model.
Recommendations
Update to version 0.9.0 or later.
Exploit
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Open-Webui