CVE-2026-45387

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.5

Description An issue exists in the self-hosted artificial intelligence platform where users can access the system prompt of a model they do not own if a group has been granted read access. This allows for system prompt leakage, which may contain confidential information. The issue occurs because the workspace model edit page "/workspace/models/edit?id=notmymodel" can be opened for models not in the user's workspace. At the API level, the endpoint "/api/v1/models/model?id=notmymodel" returns model details, specifically the params.system variable, even when the model is not listed in the REST API list due to lack of write permissions.

Recommendations Update to version 0.9.5.