CVE-2026-45345: open-webui: IDOR allows unauthorized model modification

GHSA-gm54-m39w-grjp MEDIUM PoC AVAILABLE CISA: TRACK*
Published May 14, 2026
CISO Take

Open WebUI versions up to 0.5.6 contain an Insecure Direct Object Reference (IDOR) flaw that allows any authenticated user to modify another user's private AI models by calling the model update API endpoint directly—bypassing visibility and ownership controls entirely. The attack requires only a valid low-privilege account and a single crafted HTTP request, making exploitation trivial for any internal user or compromised credential; there is no active public exploit, no KEV listing, and EPSS data is unavailable, but the low barrier in multi-user shared deployments keeps real-world risk elevated. An attacker can alter model parameters, swap base models, inject malicious tool configurations, or escalate their own access rights by rewriting the target model's access_control object. Organizations should patch to open-webui 0.5.7 immediately; until patched, restrict platform access to trusted users and monitor API logs for POST requests to /api/v1/models/model/update where the requesting user differs from the model owner.

Sources: NVD GitHub Advisory ATLAS OpenSSF

What is the risk?

Medium risk with high exploitability characteristics. CVSS 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) captures the network-accessible, low-complexity nature requiring only basic user credentials. Impact is scoped to integrity—no direct data exfiltration—but the ability to tamper with model configurations including tool integrations and access controls creates significant downstream risk in shared deployments. With 91 CVEs already tracked in this package and a risk score of 38/100, open-webui carries an established pattern of security issues that raises confidence in exploitability.

How does the attack unfold?

Initial Access
Attacker authenticates to the Open WebUI instance using any valid low-privilege user account, requiring no elevated permissions or special capabilities.
AML.T0012
Target Discovery
Attacker identifies the target private model's ID string through API enumeration, UI inspection, or internal knowledge of the shared platform environment.
AML.T0049
Exploitation
Attacker sends a crafted POST request to /api/v1/models/model/update?id=<target_id> bypassing server-side ownership validation to overwrite model parameters, tool integrations, or access_control permissions.
AML.T0049
Impact
Target user's private model is silently modified—access permissions altered to grant attacker write rights, malicious tools injected into the model's tool list, or model behavior corrupted, compromising AI workflow integrity.
AML.T0081

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip <= 0.5.6 0.5.7
143.3K Pushed 8d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 13% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I High
A None

What should I do?

5 steps
  1. Patch immediately: upgrade to open-webui >= 0.5.7 which implements proper server-side authorization checks on model update endpoints.

  2. If patching is delayed, restrict Open WebUI access to trusted internal users via network controls (VPN, firewall rules) to reduce attack surface to authenticated insiders only.

  3. Audit existing model configurations for unauthorized changes—compare current tool integrations and access_control fields against expected values and owner assignments.

  4. Monitor API access logs for unexpected POST requests to /api/v1/models/model/update, particularly where the requesting user_id differs from the model owner user_id in the payload.

  5. Review and rotate any API keys or credentials stored in model tool configurations that may have been tampered with.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.1.2 - Access control to AI system information
NIST AI RMF
MANAGE-2.2 - Mechanisms for maintaining AI system integrity
OWASP LLM Top 10
LLM04 - Data and Model Poisoning

Frequently Asked Questions

What is CVE-2026-45345?

Open WebUI versions up to 0.5.6 contain an Insecure Direct Object Reference (IDOR) flaw that allows any authenticated user to modify another user's private AI models by calling the model update API endpoint directly—bypassing visibility and ownership controls entirely. The attack requires only a valid low-privilege account and a single crafted HTTP request, making exploitation trivial for any internal user or compromised credential; there is no active public exploit, no KEV listing, and EPSS data is unavailable, but the low barrier in multi-user shared deployments keeps real-world risk elevated. An attacker can alter model parameters, swap base models, inject malicious tool configurations, or escalate their own access rights by rewriting the target model's access_control object. Organizations should patch to open-webui 0.5.7 immediately; until patched, restrict platform access to trusted users and monitor API logs for POST requests to /api/v1/models/model/update where the requesting user differs from the model owner.

Is CVE-2026-45345 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-45345, increasing the risk of exploitation.

How to fix CVE-2026-45345?

1. Patch immediately: upgrade to open-webui >= 0.5.7 which implements proper server-side authorization checks on model update endpoints. 2. If patching is delayed, restrict Open WebUI access to trusted internal users via network controls (VPN, firewall rules) to reduce attack surface to authenticated insiders only. 3. Audit existing model configurations for unauthorized changes—compare current tool integrations and access_control fields against expected values and owner assignments. 4. Monitor API access logs for unexpected POST requests to /api/v1/models/model/update, particularly where the requesting user_id differs from the model owner user_id in the payload. 5. Review and rotate any API keys or credentials stored in model tool configurations that may have been tampered with.

What systems are affected by CVE-2026-45345?

This vulnerability affects the following AI/ML architecture patterns: LLM serving platforms, Multi-user AI management interfaces, Shared AI workspaces.

What is the CVSS score for CVE-2026-45345?

CVE-2026-45345 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.23%.

What is the AI security impact?

Affected AI Architectures

LLM serving platformsMulti-user AI management interfacesShared AI workspaces

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0018 Manipulate AI Model
AML.T0049 Exploit Public-Facing Application
AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.1.2
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

### Summary A user can modify another user's model even if its visibility is set to `Private`. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open WebUI 0.5.4. ### Details / PoC The user `Victim` created a private model with the visibility set to `private`: ![grafik](https://github.com/user-attachments/assets/de057943-512b-46bf-8671-2904d55ec056) The user `Attacker` can edit this model using the following POST request: ``` POST /api/v1/models/model/update?id=aaabraaa HTTP/2 Host: domain.local //Some headers removed Te: trailers {"id":"aaabraaa","base_model_id":"gpt-4o-POC","name":"testmodel","meta":{"profile_image_url":"/static/favicon.png","description":"","capabilities":{"vision":true,"usage":false,"citations":true},"suggestion_prompts":null,"tags":[],"toolIds":["test"]},"params":{},"user_id":"565c82e6-083f-42bb-bf0f-a4e214cfb9ad","access_control":{"read":{"group_ids":[],"user_ids":[]},"write":{"group_ids":[],"user_ids":[]}},"is_active":true,"updated_at":1737314575,"created_at":1737121281} ``` Request / Response ![grafik](https://github.com/user-attachments/assets/19986403-b782-4288-b618-202b55519bb1) ### Impact A user can modify another user's model even if its visibility is set to `Private`. By changing the access permissions during editing, unauthorized access can be gained.

Exploitation Scenario

An attacker with a standard user account on a shared Open WebUI instance enumerates model IDs—which appear as readable strings in the UI or API responses—to identify a target user's private model. The attacker crafts a single POST request to /api/v1/models/model/update?id=<target_model_id> with a JSON body that rewrites the access_control object to include their own user_id in write permissions, or injects a malicious toolId into the model's tool list pointing to an attacker-controlled service. Since the server performs no ownership validation, the request succeeds silently. In an AI team workflow context, this enables persistent unauthorized access to premium model capabilities, manipulation of colleague AI interactions, or injection of data-exfiltrating tools into production AI workflows.

Weaknesses (CWE)

CWE-285 — Improper Authorization: The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that you perform access control checks related to your business logic. These checks may be different than the access control checks that you apply to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Timeline

Published
May 14, 2026
Last Modified
May 14, 2026
First Seen
May 15, 2026

Related Vulnerabilities