CVE-2026-45666

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.11

Description The API endpoint '/api/v1/notes/{note id}' lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or enumerating note id UUIDs. This can lead to the unauthorized disclosure of sensitive or private user data. If the notes feature is disabled in the UI, an attacker can potentially enable it via the '/api/config' endpoint to facilitate the attack.

Recommendations Update to version 0.8.11 or later.