CVE-2026-45316: Open WebUI: read users can modify note pin state

GHSA-jx2x-j75f-xq3j LOW PoC AVAILABLE CISA: TRACK*
Published May 14, 2026
CISO Take

Open WebUI versions up to 0.9.2 contain an authorization logic error in the notes feature where the pin endpoint incorrectly checks read permission instead of write, allowing any user with read-only access to a shared note to toggle its pinned status — a state-modifying write operation. Impact is strictly confined to the is_pinned boolean field; note content, titles, and access controls cannot be modified via this flaw, limiting practical blast radius significantly. With no EPSS data, no public exploit, no Nuclei template, and absence from CISA KEV, active exploitation is unlikely — but the fact that open-webui carries 91 total CVEs and a package risk score of 38/100 signals a pattern of authorization quality issues worth monitoring in organizations using it as their LLM front-end. Upgrade to open-webui v0.9.3, where a one-line fix already ships; if immediate upgrade is blocked, restrict note sharing to trusted users only until patched.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Low risk. CVSS 3.5 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N) accurately reflects the constrained scope: network-exploitable but requires authenticated read-level access and implicit user interaction via the sharing mechanism. No confidentiality loss, no content modification, no persistent privilege escalation beyond toggling a boolean UI state. No public exploit or active scanner template exists. The main concern is not this individual CVE but the broader pattern — 91 CVEs in the same package suggests authorization logic is not systematically tested in Open WebUI, which matters for organizations deploying it as a shared LLM interface for sensitive operations.

How does the attack unfold?

Initial Access
Attacker obtains a legitimate read-only account in the Open WebUI instance, either via explicit sharing invitation from a note owner or through a compromised low-privilege credential.
AML.T0012
Exploitation
Attacker sends POST /api/v1/notes/{id}/pin with their read-scoped bearer token; the endpoint's mischecked permission='read' gate accepts the request and executes the toggle_note_pinned_by_id write operation.
AML.T0049
Impact
The note's is_pinned state is silently modified for all users with access, causing persistent UI-level disruption — pinned operational prompts or checklists disappear from the pinned view without triggering content-modification audit events.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip <= 0.9.2 0.9.3
143.3K Pushed 8d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
3.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 12% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Unchanged
C None
I Low
A None

What should I do?

4 steps
  1. Upgrade open-webui to v0.9.3 or later immediately — the fix is a single-line permission check change already released.

  2. If upgrade is blocked, restrict notes sharing to admin-only or disable the feature via configuration until patched.

  3. Audit server logs for anomalous POST /api/v1/notes/*/pin requests from accounts confirmed to hold only read-level access grants.

  4. Detection heuristic: flag any is_pinned toggle event where the requesting user_id is not the note owner and not an admin — these should not succeed in patched versions. No workaround fully mitigates without disabling sharing.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
A.6.1.2 - Segregation of Duties
NIST AI RMF
GOVERN 1.7 - Processes and Procedures for AI Risk Management
OWASP LLM Top 10
LLM08:2023 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-45316?

Open WebUI versions up to 0.9.2 contain an authorization logic error in the notes feature where the pin endpoint incorrectly checks read permission instead of write, allowing any user with read-only access to a shared note to toggle its pinned status — a state-modifying write operation. Impact is strictly confined to the is_pinned boolean field; note content, titles, and access controls cannot be modified via this flaw, limiting practical blast radius significantly. With no EPSS data, no public exploit, no Nuclei template, and absence from CISA KEV, active exploitation is unlikely — but the fact that open-webui carries 91 total CVEs and a package risk score of 38/100 signals a pattern of authorization quality issues worth monitoring in organizations using it as their LLM front-end. Upgrade to open-webui v0.9.3, where a one-line fix already ships; if immediate upgrade is blocked, restrict note sharing to trusted users only until patched.

Is CVE-2026-45316 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-45316, increasing the risk of exploitation.

How to fix CVE-2026-45316?

1. Upgrade open-webui to v0.9.3 or later immediately — the fix is a single-line permission check change already released. 2. If upgrade is blocked, restrict notes sharing to admin-only or disable the feature via configuration until patched. 3. Audit server logs for anomalous POST /api/v1/notes/*/pin requests from accounts confirmed to hold only read-level access grants. 4. Detection heuristic: flag any is_pinned toggle event where the requesting user_id is not the note owner and not an admin — these should not succeed in patched versions. No workaround fully mitigates without disabling sharing.

What systems are affected by CVE-2026-45316?

This vulnerability affects the following AI/ML architecture patterns: ML UI platforms, Collaborative LLM workspaces, Shared AI assistant deployments.

What is the CVSS score for CVE-2026-45316?

CVE-2026-45316 has a CVSS v3.1 base score of 3.5 (LOW). The EPSS exploitation probability is 0.22%.

What is the AI security impact?

Affected AI Architectures

ML UI platformsCollaborative LLM workspacesShared AI assistant deployments

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.1.2
NIST AI RMF: GOVERN 1.7
OWASP LLM Top 10: LLM08:2023

What are the technical details?

Original Advisory

### Summary The `POST /api/v1/notes/{id}/pin` endpoint performs a write operation (toggling the `is_pinned` field) but only checks for `read` permission. Users with read-only access to a shared note can pin/unpin it, which is a state-modifying action that should require `write` permission. All other write endpoints (update, delete, access/update) correctly check for `write` permission. ### Details **Affected code: `backend/open_webui/routers/notes.py` lines 412-444** ```python @router.post('/{id}/pin', response_model=Optional[NoteModel]) async def pin_note_by_id(...): # ... if user.role != 'admin' and ( user.id != note.user_id and not await AccessGrants.has_access( user_id=user.id, resource_type='note', resource_id=note.id, permission='read', # BUG: should be 'write' db=db, ) ): raise HTTPException(...) note = await Notes.toggle_note_pinned_by_id(id, db=db) # write operation ``` **Compare with update endpoint (correct, line 318-327):** ```python async def update_note_by_id(...): # ... and not await AccessGrants.has_access( permission='write', # correctly checks 'write' ) ``` ### PoC **Environment:** Open WebUI v0.9.2, default configuration with notes sharing enabled. **Setup:** 1. UserA creates a note 2. UserA shares note with UserB with `read` permission via `POST /api/v1/notes/{id}/access/update` with `{"access_grants":[{"principal_type":"user","principal_id":"USERB_ID","permission":"read"}]}` **Test:** ```bash # Step 1: UserB reads note (READ permission) -> 200 OK, write_access: false curl -s http://TARGET/api/v1/notes/$NOTE_ID \ -H "Authorization: Bearer $TOKEN_B" # Result: 200 OK, "write_access": false # Step 2: UserB updates note (WRITE operation) -> 403 Forbidden (correctly blocked) curl -s -X POST http://TARGET/api/v1/notes/$NOTE_ID/update \ -H "Authorization: Bearer $TOKEN_B" \ -H "Content-Type: application/json" \ -d '{"title":"HACKED","content":"pwned","data":{"type":"note"}}' # Result: 403 Forbidden # Step 3: UserB pins note (WRITE operation, but only checks READ) -> 200 OK (BUG!) curl -s -X POST http://TARGET/api/v1/notes/$NOTE_ID/pin \ -H "Authorization: Bearer $TOKEN_B" # Result: 200 OK, "is_pinned": true # Step 4: UserB can toggle pin repeatedly curl -s -X POST http://TARGET/api/v1/notes/$NOTE_ID/pin \ -H "Authorization: Bearer $TOKEN_B" # Result: 200 OK, "is_pinned": false (toggled back) ``` **E2E Verified Result:** - Step 1: UserB reads note (READ) -> 200 OK ✓ - Step 2: UserB updates note (WRITE) -> 403 Forbidden ✓ (correctly blocked) - Step 3: UserB pins note (WRITE via READ) -> 200 OK, is_pinned: true ✗ (BUG) - Step 4: UserB toggles pin again -> 200 OK, is_pinned: false ✗ (repeated write) ### Impact - A user with only `read` access to a shared note can toggle its `is_pinned` status - This modifies the note's state without write authorization - The pin status change is visible to the note owner and all other users with access - Privilege escalation from read to write on the pin operation **Limitations:** Only affects the `is_pinned` boolean field. Cannot modify title, content, or access_grants. Requires at least read access via explicit sharing. ### Fix One-line fix — change `permission='read'` to `permission='write'` in `pin_note_by_id`: ```python # backend/open_webui/routers/notes.py, line 437 - permission='read', + permission='write', ``` This makes the pin endpoint consistent with update and delete endpoints.

Exploitation Scenario

An attacker holds a legitimate read-only account in a shared Open WebUI instance — for example, a contractor granted read access to a team's prompt library stored as notes. The attacker identifies a pinned note (visible via normal read access) used by the security team as a pinned incident-response checklist prompt. The attacker repeatedly calls POST /api/v1/notes/{id}/pin with their read-scoped token, toggling the pin state off. The note disappears from the pinned view of all users without generating a content-modification alert, because the is_pinned change does not trigger content audit hooks. The team loses quick access to the pinned prompt during an active incident, introducing operational friction — all without the attacker ever modifying a single character of note content.

Weaknesses (CWE)

CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Timeline

Published
May 14, 2026
Last Modified
May 14, 2026
First Seen
May 15, 2026

Related Vulnerabilities