CVE-2026-45351: Open WebUI: admin system prompts exposed to all users

GHSA-jh9g-8jqw-m2qx MEDIUM PoC AVAILABLE CISA: TRACK*
Published May 14, 2026
CISO Take

Open WebUI versions up to 0.8.8 expose admin-configured system prompts to any authenticated user via the unprotected /api/models? endpoint — leaking the instructions, constraints, and operational logic that admins intended to keep confidential. System prompts routinely encode safety guardrails, business logic, and capability boundaries, so their disclosure hands an attacker a roadmap to craft targeted jailbreaks or content manipulation attacks against the same deployment. With 91 prior CVEs in this package, a trivially low attack complexity (any registered user, no special tools), and CVSS AV:N/PR:L, every multi-user Open WebUI deployment is exposed until patched. Upgrade to open-webui 0.8.9 immediately; as an interim control, restrict the /api/models? response at the reverse proxy or API gateway layer to admin-authenticated tokens only.

Sources: NVD GitHub Advisory ATLAS OWASP LLM Top 10

What is the risk?

Medium severity (CVSS 6.5) with a deceptively low exploitation barrier: any registered non-admin user can trigger this by observing browser network traffic — no exploit tooling required. The attack is fully network-accessible, requires only low privileges, and has no user interaction dependency. While not in CISA KEV and lacking a public PoC or scanner template, the trivial reproducibility and high confidentiality impact (C:H) elevate operational risk beyond the raw CVSS score for organizations where system prompts encode sensitive business logic or compliance-relevant safety rules. The 91 existing CVEs in this package suggest a systemic pattern of insufficient authorization checks across the Open WebUI codebase.

How does the attack unfold?

Initial Access
Attacker authenticates to Open WebUI with any valid non-admin account (self-registered, stolen, or insider), obtaining a JWT bearer token.
AML.T0012
System Prompt Discovery
The application automatically fires GET /api/models? on login; the attacker captures this request via browser dev tools or a proxy and reads the full system_prompt fields for all admin-configured models.
AML.T0056
Reconnaissance
Attacker analyzes extracted system prompts to map model capabilities, identify safety guardrail logic, and locate any embedded references to internal data sources or RAG configurations.
AML.T0069.002
Impact
Using the leaked instructions as a blueprint, the attacker crafts targeted prompts to bypass content restrictions, extract RAG-indexed data, or manipulate model outputs — with full knowledge of the defensive rules in place.
AML.T0051

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip <= 0.8.8 0.8.9
143.3K Pushed 8d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 20% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I None
A None

What should I do?

5 steps
  1. PATCH

    Upgrade open-webui pip package to 0.8.9 immediately (patched release available).

  2. INTERIM WORKAROUND

    At the reverse proxy (nginx/Caddy) layer, restrict /api/models? to requests bearing admin-role JWT claims; return a filtered response (model name only) to standard users until the patch is applied.

  3. AUDIT

    Review current system prompts for sensitive data — API keys, internal hostnames, compliance logic, or bypass-relevant safety rules — and rotate or redact as appropriate.

  4. DETECTION

    Search application and proxy logs for GET /api/models? requests from non-admin user tokens in the period since deployment; flag any access from unexpected accounts or IP ranges.

  5. COMPENSATING CONTROL

    Until patched, disable system prompt population for models exposed to untrusted users.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.2.4 - AI system access control
NIST AI RMF
GOVERN 1.1 - Policies and procedures for AI risk management
OWASP LLM Top 10
LLM07:2025 - System Prompt Leakage

Frequently Asked Questions

What is CVE-2026-45351?

Open WebUI versions up to 0.8.8 expose admin-configured system prompts to any authenticated user via the unprotected /api/models? endpoint — leaking the instructions, constraints, and operational logic that admins intended to keep confidential. System prompts routinely encode safety guardrails, business logic, and capability boundaries, so their disclosure hands an attacker a roadmap to craft targeted jailbreaks or content manipulation attacks against the same deployment. With 91 prior CVEs in this package, a trivially low attack complexity (any registered user, no special tools), and CVSS AV:N/PR:L, every multi-user Open WebUI deployment is exposed until patched. Upgrade to open-webui 0.8.9 immediately; as an interim control, restrict the /api/models? response at the reverse proxy or API gateway layer to admin-authenticated tokens only.

Is CVE-2026-45351 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-45351, increasing the risk of exploitation.

How to fix CVE-2026-45351?

1. PATCH: Upgrade open-webui pip package to 0.8.9 immediately (patched release available). 2. INTERIM WORKAROUND: At the reverse proxy (nginx/Caddy) layer, restrict /api/models? to requests bearing admin-role JWT claims; return a filtered response (model name only) to standard users until the patch is applied. 3. AUDIT: Review current system prompts for sensitive data — API keys, internal hostnames, compliance logic, or bypass-relevant safety rules — and rotate or redact as appropriate. 4. DETECTION: Search application and proxy logs for GET /api/models? requests from non-admin user tokens in the period since deployment; flag any access from unexpected accounts or IP ranges. 5. COMPENSATING CONTROL: Until patched, disable system prompt population for models exposed to untrusted users.

What systems are affected by CVE-2026-45351?

This vulnerability affects the following AI/ML architecture patterns: Multi-user LLM deployment platforms, Model serving with role-based access control, Enterprise AI gateways, RAG-connected model deployments.

What is the CVSS score for CVE-2026-45351?

CVE-2026-45351 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.28%.

What is the AI security impact?

Affected AI Architectures

Multi-user LLM deployment platformsModel serving with role-based access controlEnterprise AI gatewaysRAG-connected model deployments

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0056 Extract LLM System Prompt
AML.T0069 Discover LLM System Information
AML.T0069.002 System Prompt

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.2.4
NIST AI RMF: GOVERN 1.1
OWASP LLM Top 10: LLM07:2025

What are the technical details?

Original Advisory

### Summary _A regular user [non-admin] can view the system prompt of the model which is set by an admin._ ### Details _When a regular user [non-admin] logs into the application, a http://IP:8080/api/models? web request is initiated by the application and in response, it reveals the system prompt of available models set by admin on models pages in workspace affecting the confidentiality of application_ ### Affected System _Open WebUI v0.6.40 "main" branch_ ### Vulnerability Details and Advisory from OWASP LLM07:2025 System Prompt Leakage - https://genai.owasp.org/llmrisk/llm072025-system-prompt-leakage/ ### PoC _1. Regular User [Non-Admin] login on Open WebUI application._ _2. A series of web requests get generated by the application, and the http://IP:8080/api/models? is also gets generated by application ._ _3. The response of http://IP:8080/api/models? web request reveals the system prompt of all the available models which is set is by the admin on models pages in workspace._ <img width="940" height="352" alt="system prompt leak" src="https://github.com/user-attachments/assets/bd2c76f1-398f-4bc8-a8b2-5e14a768c560" /> ### Web Request GET /api/models? HTTP/1.1 Host: localhost:8080 sec-ch-ua-platform: "Linux" authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjdmYjUxMmFhLTBmMTAtNDRkZi1iOWY1LThmNDg2MWFhNWFmOCIsImV4cCI6MTc2NjU2MjE5OH0.yJpavBynKItPQv76SMGKK012JIf29PVUv9sjuCDuRGQ Accept-Language: en-US,en;q=0.9 sec-ch-ua: "Chromium";v="141", "Not?A_Brand";v="8" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36 Accept: application/json Content-Type: application/json Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost:8080/ Accept-Encoding: gzip, deflate, br Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjdmYjUxMmFhLTBmMTAtNDRkZi1iOWY1LThmNDg2MWFhNWFmOCIsImV4cCI6MTc2NjU2MjE5OH0.yJpavBynKItPQv76SMGKK012JIf29PVUv9sjuCDuRGQ Connection: keep-alive ### Impact _1. System prompts can reveal the model instructions, providing an attackers with inside knowledge about the system capabilities and bypass restrictions._ _2. Attacker can perform content manipulation affecting the input/output of the model._ ### Details from MITRE ATLAS Discover LLM System Information - https://atlas.mitre.org/techniques/AML.T0069 Discover LLM System Information: System Instruction Keywords - https://atlas.mitre.org/techniques/AML.T0069.001 Discover LLM System Information: System Prompt - https://atlas.mitre.org/techniques/AML.T0069.002 ### Recommendation _1. The web response should not reveal system prompt and related internal/back-end details regarding the model to the regular user._ _2. Only the model name and non-sensitive details should be revealed to regular user and internal/back-end details should not be disclosed._

Exploitation Scenario

An attacker with a standard Open WebUI account (obtained via self-registration, credential theft, or insider access) opens browser developer tools and observes the /api/models? request fired automatically on login. The JSON response includes the full system_prompt field for every admin-configured model on the platform. The attacker extracts the safety guardrail instructions (e.g., 'Do not discuss competitor products', 'Always refer legal questions to hr@company.com', 'You are connected to the internal HR database via RAG') and uses this knowledge to craft prompts that deliberately sidestep the restrictions, extract RAG-indexed data, or impersonate the model's intended persona in social engineering campaigns. Because the leak is passive and requires no active probing beyond a standard login flow, it leaves no anomalous footprint.

Weaknesses (CWE)

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Timeline

Published
May 14, 2026
Last Modified
May 14, 2026
First Seen
May 15, 2026

Related Vulnerabilities