CVE-2026-45399

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0

Description An authorization issue allows any authenticated user with low privileges to enumerate active background tasks across the system and stop tasks belonging to other users. This occurs because the system fails to verify if the task belongs to the user making the request, operating instead on a global task namespace. An attacker can disrupt system-wide chat usage by continuously canceling other users' active tasks, affecting the integrity and usability of multi-user deployments.

Technical details include the following endpoints:

The task id variable is accepted without ownership validation.

Recommendations Update to version 0.9.0 or later. As a temporary workaround, restrict access to the 'GET /api/tasks' and 'POST /api/tasks/stop/{task id}' endpoints to administrative users only.