CVE-2026-45386: open-webui: auth bypass lets read-only users pin messages

GHSA-5gc6-xhv4-2wg6 MEDIUM CISA: TRACK*
Published May 14, 2026
CISO Take

Open-webui versions up to 0.9.4 contain an authorization logic flaw where the message pin/unpin API endpoint checks only 'read' permission instead of the required 'write' permission in standard channels, allowing any authenticated read-only user to modify pinned message state. While CVSS scores this at 4.3 medium with no confidentiality impact, organizations running open-webui as an internal LLM collaboration interface should note that this lets lower-privileged users silently disrupt curated channels — unpinning security advisories or pinning misleading content to manipulate what colleagues and downstream LLM agents see first. There is no active exploitation (not in KEV, no public PoC beyond the advisory proof-of-concept), but with 91 CVEs tracked in this package and a package risk score of 38/100, open-webui's vulnerability cadence warrants prompt action. Upgrade to open-webui 0.9.5 immediately; no effective workaround exists short of removing read-only channel memberships entirely.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Low-medium operational risk. Exploitation requires an authenticated account with at minimum read access — anonymous exploitation is impossible. The integrity impact is bounded to message pinning state; no data is exfiltrated, no code executes, and no service is disrupted. CVSS 4.3 is an accurate score. Exploitability is trivial for any attacker holding valid credentials, requiring only a single HTTP POST request. Primary concern is insider threat or compromised read-only accounts being used to manipulate pinned announcements, security notices, or operational runbooks in LLM-backed team channels — especially if those channels feed downstream AI context.

How does the attack unfold?

Initial Access
Attacker obtains or already holds a valid read-only user account for the target open-webui standard channel, either legitimately (contractor) or via credential compromise.
AML.T0012
Exploitation
Attacker sends a POST request to the pin endpoint with their read-only bearer token; the server checks only read permission (which they possess) and approves the write operation, returning success with the attacker's user ID recorded as pinned_by.
AML.T0049
Impact
Attacker pins attacker-chosen messages or unpins legitimate security announcements, manipulating what channel members and downstream LLM agents receive as authoritative pinned context.
AML.T0048.001

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip <= 0.9.4 0.9.5
143.3K Pushed 8d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
4.3 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 10% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I Low
A None

What should I do?

5 steps
  1. Upgrade open-webui to version 0.9.5 or later — this is the only complete fix.

  2. Until patched, revoke read-only channel memberships from untrusted or external users in standard channels containing sensitive content.

  3. Audit the AccessGrants table for all read-only principals with access to channels hosting security-critical or LLM-context-feeding content.

  4. Review recent pin/unpin activity logs and cross-reference against user permission levels to detect any prior exploitation.

  5. Establish a patch SLA for open-webui given its history of 91 tracked CVEs; treat it as a high-churn dependency requiring active monitoring.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
8.4 - AI system risk management
NIST AI RMF
GOVERN 1.1 - AI risk policies and procedures
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-45386?

Open-webui versions up to 0.9.4 contain an authorization logic flaw where the message pin/unpin API endpoint checks only 'read' permission instead of the required 'write' permission in standard channels, allowing any authenticated read-only user to modify pinned message state. While CVSS scores this at 4.3 medium with no confidentiality impact, organizations running open-webui as an internal LLM collaboration interface should note that this lets lower-privileged users silently disrupt curated channels — unpinning security advisories or pinning misleading content to manipulate what colleagues and downstream LLM agents see first. There is no active exploitation (not in KEV, no public PoC beyond the advisory proof-of-concept), but with 91 CVEs tracked in this package and a package risk score of 38/100, open-webui's vulnerability cadence warrants prompt action. Upgrade to open-webui 0.9.5 immediately; no effective workaround exists short of removing read-only channel memberships entirely.

Is CVE-2026-45386 actively exploited?

No confirmed active exploitation of CVE-2026-45386 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45386?

1. Upgrade open-webui to version 0.9.5 or later — this is the only complete fix. 2. Until patched, revoke read-only channel memberships from untrusted or external users in standard channels containing sensitive content. 3. Audit the AccessGrants table for all read-only principals with access to channels hosting security-critical or LLM-context-feeding content. 4. Review recent pin/unpin activity logs and cross-reference against user permission levels to detect any prior exploitation. 5. Establish a patch SLA for open-webui given its history of 91 tracked CVEs; treat it as a high-churn dependency requiring active monitoring.

What systems are affected by CVE-2026-45386?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, Agent frameworks using open-webui as frontend, RAG pipelines ingesting channel content.

What is the CVSS score for CVE-2026-45386?

CVE-2026-45386 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

LLM chat interfacesAgent frameworks using open-webui as frontendRAG pipelines ingesting channel content

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0048.001 Reputational Harm
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: 8.4
NIST AI RMF: GOVERN 1.1
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

### Summary `Pin/Unpin` is a write operation (modifies the message's `is_pinned `, `pinned_by`, `pinned_at` fields), but in standard channels it only checks `read` permission, allowing users with read-only access to pin/unpin any message. ### Details https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/backend/open_webui/routers/channels.py#L1218 ``` @router.post('/{id}/messages/{message_id}/pin', response_model=Optional[MessageUserResponse]) async def pin_channel_message( request: Request, id: str, message_id: str, form_data: PinMessageForm, user=Depends(get_verified_user), db: Session = Depends(get_session), ): check_channels_access(request) channel = Channels.get_channel_by_id(id, db=db) if not channel: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=ERROR_MESSAGES.NOT_FOUND) if channel.type in ['group', 'dm']: if not Channels.is_user_channel_member(channel.id, user.id, db=db): raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT()) else: if user.role != 'admin' and not channel_has_access(user.id, channel, permission='read', db=db): raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT()) ``` The `channel_has_access` function https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/backend/open_webui/routers/channels.py#L75 checks user permissions against the `AccessGrants` table: ``` def channel_has_access( user_id: str, channel: ChannelModel, permission: str = 'read', # 'read' or 'write' strict: bool = True, db: Optional[Session] = None, ) -> bool: if AccessGrants.has_access( user_id=user_id, resource_type='channel', resource_id=channel.id, permission=permission, db=db, ): return True # ... ``` The `AccessGrant` table distinguishes between `read` and `write` permission levels. ### PoC `admin` creates Standard Channel with Read-Only Access for `test1` : ``` POST /api/v1/channels/create Authorization: Content-Type: application/json { "name": "pin-test-standard", "access_grants": [ { "principal_type": "user", "principal_id": "cfc3cb19-9e92-4bf7-8b72-1b47fe4ff62c", "permission": "read" } ] } ``` `admin` posts a Message in the Channel, and `test1` has `read` permission only. <img width="1024" height="423" alt="image" src="https://github.com/user-attachments/assets/e9912bd7-3908-44f2-8984-22d0535dc66f" /> `test1` attempts to Pin Message: ``` POST /api/v1/channels/0699b656-578f-4976-94b0-65e2b19752fd/messages/4797359b-aad5-4081-9617-e8ca58524a87/pin Authorization: Bearer <test1_token> Content-Type: application/json { "is_pinned": true } ``` ``` { "id": "4797359b-aad5-4081-9617-e8ca58524a87", "user_id": "28c859b7-84e2-4217-b4d7-3f0e43f7c4b9", "is_pinned": true, "pinned_by": "cfc3cb19-9e92-4bf7-8b72-1b47fe4ff62c", "pinned_at": 1774716314908288719, "content": "Admin announcement in standard channel - test1 should NOT be able to pin this" } ``` Successfully pinned admin's message. `pinned_by` records test1's user ID. <img width="1024" height="350" alt="image" src="https://github.com/user-attachments/assets/705b1f45-95a9-4e91-8a74-10bdbccde0b8" /> `test1` (Read-Only) can alse Unpin Message. The Pin/Unpin endpoint in standard channels only checks `read` permission, allowing read-only users to pin/unpin any message. ### Impact Read-only users can pin irrelevant messages, disrupting important information display in the channel . ### Recommended Fix Change the Pin endpoint's permission check from `read` to `write` .

Exploitation Scenario

An attacker granted read-only access to an internal open-webui channel — for example, a contractor account or a lateral-movement pivot using a compromised low-privilege credential — sends a crafted POST to '/api/v1/channels/{channel_id}/messages/{message_id}/pin' with their bearer token and payload {"is_pinned": true}. The endpoint validates only read permission, which the attacker holds, and succeeds. The attacker unpins a legitimate security advisory pinned by an administrator, then pins a fabricated message such as 'No active incidents — system healthy' to manipulate the information visible to channel members. If the channel feeds an LLM agent via context injection or RAG, the poisoned pinned content may influence AI-generated summaries, incident triage decisions, or automated responses.

Weaknesses (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

  • [Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
  • [Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Timeline

Published
May 14, 2026
Last Modified
May 14, 2026
First Seen
May 15, 2026

Related Vulnerabilities