CVE-2026-45345: open-webui: IDOR allows unauthorized model modification
GHSA-gm54-m39w-grjp MEDIUM PoC AVAILABLE CISA: TRACK*Open WebUI versions up to 0.5.6 contain an Insecure Direct Object Reference (IDOR) flaw that allows any authenticated user to modify another user's private AI models by calling the model update API endpoint directly—bypassing visibility and ownership controls entirely. The attack requires only a valid low-privilege account and a single crafted HTTP request, making exploitation trivial for any internal user or compromised credential; there is no active public exploit, no KEV listing, and EPSS data is unavailable, but the low barrier in multi-user shared deployments keeps real-world risk elevated. An attacker can alter model parameters, swap base models, inject malicious tool configurations, or escalate their own access rights by rewriting the target model's access_control object. Organizations should patch to open-webui 0.5.7 immediately; until patched, restrict platform access to trusted users and monitor API logs for POST requests to /api/v1/models/model/update where the requesting user differs from the model owner.
What is the risk?
Medium risk with high exploitability characteristics. CVSS 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) captures the network-accessible, low-complexity nature requiring only basic user credentials. Impact is scoped to integrity—no direct data exfiltration—but the ability to tamper with model configurations including tool integrations and access controls creates significant downstream risk in shared deployments. With 91 CVEs already tracked in this package and a risk score of 38/100, open-webui carries an established pattern of security issues that raises confidence in exploitability.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Open WebUI | pip | <= 0.5.6 | 0.5.7 |
Do you use Open WebUI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Patch immediately: upgrade to open-webui >= 0.5.7 which implements proper server-side authorization checks on model update endpoints.
-
If patching is delayed, restrict Open WebUI access to trusted internal users via network controls (VPN, firewall rules) to reduce attack surface to authenticated insiders only.
-
Audit existing model configurations for unauthorized changes—compare current tool integrations and access_control fields against expected values and owner assignments.
-
Monitor API access logs for unexpected POST requests to /api/v1/models/model/update, particularly where the requesting user_id differs from the model owner user_id in the payload.
-
Review and rotate any API keys or credentials stored in model tool configurations that may have been tampered with.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-45345?
Open WebUI versions up to 0.5.6 contain an Insecure Direct Object Reference (IDOR) flaw that allows any authenticated user to modify another user's private AI models by calling the model update API endpoint directly—bypassing visibility and ownership controls entirely. The attack requires only a valid low-privilege account and a single crafted HTTP request, making exploitation trivial for any internal user or compromised credential; there is no active public exploit, no KEV listing, and EPSS data is unavailable, but the low barrier in multi-user shared deployments keeps real-world risk elevated. An attacker can alter model parameters, swap base models, inject malicious tool configurations, or escalate their own access rights by rewriting the target model's access_control object. Organizations should patch to open-webui 0.5.7 immediately; until patched, restrict platform access to trusted users and monitor API logs for POST requests to /api/v1/models/model/update where the requesting user differs from the model owner.
Is CVE-2026-45345 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2026-45345, increasing the risk of exploitation.
How to fix CVE-2026-45345?
1. Patch immediately: upgrade to open-webui >= 0.5.7 which implements proper server-side authorization checks on model update endpoints. 2. If patching is delayed, restrict Open WebUI access to trusted internal users via network controls (VPN, firewall rules) to reduce attack surface to authenticated insiders only. 3. Audit existing model configurations for unauthorized changes—compare current tool integrations and access_control fields against expected values and owner assignments. 4. Monitor API access logs for unexpected POST requests to /api/v1/models/model/update, particularly where the requesting user_id differs from the model owner user_id in the payload. 5. Review and rotate any API keys or credentials stored in model tool configurations that may have been tampered with.
What systems are affected by CVE-2026-45345?
This vulnerability affects the following AI/ML architecture patterns: LLM serving platforms, Multi-user AI management interfaces, Shared AI workspaces.
What is the CVSS score for CVE-2026-45345?
CVE-2026-45345 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.23%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0018 Manipulate AI Model AML.T0049 Exploit Public-Facing Application AML.T0081 Modify AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary A user can modify another user's model even if its visibility is set to `Private`. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open WebUI 0.5.4. ### Details / PoC The user `Victim` created a private model with the visibility set to `private`:  The user `Attacker` can edit this model using the following POST request: ``` POST /api/v1/models/model/update?id=aaabraaa HTTP/2 Host: domain.local //Some headers removed Te: trailers {"id":"aaabraaa","base_model_id":"gpt-4o-POC","name":"testmodel","meta":{"profile_image_url":"/static/favicon.png","description":"","capabilities":{"vision":true,"usage":false,"citations":true},"suggestion_prompts":null,"tags":[],"toolIds":["test"]},"params":{},"user_id":"565c82e6-083f-42bb-bf0f-a4e214cfb9ad","access_control":{"read":{"group_ids":[],"user_ids":[]},"write":{"group_ids":[],"user_ids":[]}},"is_active":true,"updated_at":1737314575,"created_at":1737121281} ``` Request / Response  ### Impact A user can modify another user's model even if its visibility is set to `Private`. By changing the access permissions during editing, unauthorized access can be gained.
Exploitation Scenario
An attacker with a standard user account on a shared Open WebUI instance enumerates model IDs—which appear as readable strings in the UI or API responses—to identify a target user's private model. The attacker crafts a single POST request to /api/v1/models/model/update?id=<target_model_id> with a JSON body that rewrites the access_control object to include their own user_id in write permissions, or injects a malicious toolId into the model's tool list pointing to an attacker-controlled service. Since the server performs no ownership validation, the request succeeds silently. In an AI team workflow context, this enables persistent unauthorized access to premium model capabilities, manipulation of colleague AI interactions, or injection of data-exfiltrating tools into production AI workflows.
Weaknesses (CWE)
CWE-285 — Improper Authorization: The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
- [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
- [Architecture and Design] Ensure that you perform access control checks related to your business logic. These checks may be different than the access control checks that you apply to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N References
Timeline
Related Vulnerabilities
CVE-2026-44551 9.1 open-webui: LDAP auth bypass — full account takeover
Same package: open-webui CVE-2026-45672 8.8 open-webui: code exec gate bypass via API endpoint
Same package: open-webui CVE-2026-44552 8.7 open-webui: Redis cache poisoning enables cross-instance tool hijack
Same package: open-webui CVE-2025-64495 8.7 Open WebUI: XSS-to-RCE via malicious prompt injection
Same package: open-webui CVE-2026-45315 8.7 open-webui: stored XSS → JWT theft and admin takeover
Same package: open-webui