CVE-2026-45387 — MEDIUM (CVSS 4.3)

Q: Is CVE-2026-45387 actively exploited?

No confirmed active exploitation of CVE-2026-45387 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-45387?

1. Patch: Upgrade open-webui to v0.9.5 immediately — this is the only complete fix. 2. Interim workaround: Audit all models with group read permissions configured and temporarily revoke those permissions for any model whose system prompt contains sensitive content. 3. Prompt hygiene: Treat the system prompt of any shared model as potentially already exposed; rotate or revise any credentials, API keys, or highly sensitive logic embedded in prompts for affected versions. 4. Detection: Query application/web access logs for requests to /api/v1/models/model bearing model IDs not owned by the requesting user; cross-reference against group membership tables to identify unauthorized reads that may have already occurred. 5. Compensating control: If immediate patching is blocked, place the open-webui instance behind network controls limiting API access to trusted subnets.

Q: What systems are affected by CVE-2026-45387?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, multi-user AI platforms, model serving, enterprise AI assistants.

Q: What is the CVSS score for CVE-2026-45387?

CVE-2026-45387 has a CVSS v3.1 base score of 4.3 (MEDIUM).

CISO Take

open-webui versions up to 0.9.4 expose the complete system prompt of any shared model to users granted read access, via the REST endpoint /api/v1/models/model — despite that same model being intentionally excluded from the list API. System prompts in enterprise LLM deployments routinely contain proprietary reasoning chains, security guardrail instructions, embedded credentials, and operational logic that organizations treat as confidential IP; their exposure hands adversaries the reconnaissance needed to craft precision prompt injection attacks or fully bypass safety controls. The attack requires only a valid account and any read-level group membership — a condition that is by design in multi-tenant open-webui deployments, making the realistic affected population larger than the CVSS 4.3 score suggests. Upgrade immediately to open-webui v0.9.5; as an interim measure, revoke group read permissions on models carrying sensitive prompts and audit API logs for unexpected calls to /api/v1/models/model from non-owner accounts.

Sources: NVD GitHub Advisory ATLAS OWASP LLM Top 10 2025

What is the risk?

Medium risk overall, but elevated in enterprise or multi-team open-webui deployments where model sharing is standard practice. Exploitation is trivial — no special tooling, no privilege escalation, no social engineering — requiring only a valid authenticated session and knowledge of a model ID, which is discoverable via the workspace UI. The confidentiality impact is bounded to system prompt contents rather than training data or user data, but in AI deployments where system prompts encode security policies or proprietary business logic, this boundary understates real-world consequence. No public exploit code and no CISA KEV entry reduce immediate urgency, but the low exploitation barrier and 91 prior CVEs in the same package suggest a pattern of access control weaknesses worth treating seriously.

Attack Kill Chain

Authenticated Access

Attacker uses a legitimate account that is a member of any group granted read access to at least one model in the open-webui instance.

AML.T0012

Model ID Discovery

Attacker browses /workspace/models/edit in the UI to enumerate model IDs visible without write rights, or guesses IDs from URL patterns.

AML.T0007

System Prompt Extraction

Attacker calls GET /api/v1/models/model?id=<target_id> with a valid session token; the API returns the full model config including params.system in plaintext.

AML.T0056

Intelligence-Driven Exploitation

Attacker uses the extracted system prompt to identify and bypass guardrails via targeted prompt injection, or exfiltrates embedded credentials for lateral movement.

AML.T0051

Authenticated Access

Attacker uses a legitimate account that is a member of any group granted read access to at least one model in the open-webui instance.

AML.T0012

Model ID Discovery

Attacker browses /workspace/models/edit in the UI to enumerate model IDs visible without write rights, or guesses IDs from URL patterns.

AML.T0007

System Prompt Extraction

Attacker calls GET /api/v1/models/model?id=<target_id> with a valid session token; the API returns the full model config including params.system in plaintext.

AML.T0056

Intelligence-Driven Exploitation

Attacker uses the extracted system prompt to identify and bypass guardrails via targeted prompt injection, or exfiltrates embedded credentials for lateral movement.

AML.T0051

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
open-webui	pip	<= 0.9.4	`0.9.5`
136.3K Pushed 5d ago 75% patched ~4d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1

4.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C Low

I None

A None

What should I do?

5 steps

Patch: Upgrade open-webui to v0.9.5 immediately — this is the only complete fix.
Interim workaround: Audit all models with group read permissions configured and temporarily revoke those permissions for any model whose system prompt contains sensitive content.
Prompt hygiene: Treat the system prompt of any shared model as potentially already exposed; rotate or revise any credentials, API keys, or highly sensitive logic embedded in prompts for affected versions.
Detection: Query application/web access logs for requests to /api/v1/models/model bearing model IDs not owned by the requesting user; cross-reference against group membership tables to identify unauthorized reads that may have already occurred.
Compensating control: If immediate patching is blocked, place the open-webui instance behind network controls limiting API access to trusted subnets.

Classification

Data Leakage Auth Bypass Privacy Violation Model API Framework AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0056 - Extract LLM System Prompt AML.T0069.002 - System Prompt

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.1.2 - Information Classification and Access Control for AI Systems

NIST AI RMF

GOVERN 1.6 - Organizational risk policies for AI transparency and accountability

OWASP LLM Top 10

LLM07:2025 - System Prompt Leakage

Frequently Asked Questions

What is CVE-2026-45387?

open-webui versions up to 0.9.4 expose the complete system prompt of any shared model to users granted read access, via the REST endpoint /api/v1/models/model — despite that same model being intentionally excluded from the list API. System prompts in enterprise LLM deployments routinely contain proprietary reasoning chains, security guardrail instructions, embedded credentials, and operational logic that organizations treat as confidential IP; their exposure hands adversaries the reconnaissance needed to craft precision prompt injection attacks or fully bypass safety controls. The attack requires only a valid account and any read-level group membership — a condition that is by design in multi-tenant open-webui deployments, making the realistic affected population larger than the CVSS 4.3 score suggests. Upgrade immediately to open-webui v0.9.5; as an interim measure, revoke group read permissions on models carrying sensitive prompts and audit API logs for unexpected calls to /api/v1/models/model from non-owner accounts.

Is CVE-2026-45387 actively exploited?

No confirmed active exploitation of CVE-2026-45387 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45387?

1. Patch: Upgrade open-webui to v0.9.5 immediately — this is the only complete fix. 2. Interim workaround: Audit all models with group read permissions configured and temporarily revoke those permissions for any model whose system prompt contains sensitive content. 3. Prompt hygiene: Treat the system prompt of any shared model as potentially already exposed; rotate or revise any credentials, API keys, or highly sensitive logic embedded in prompts for affected versions. 4. Detection: Query application/web access logs for requests to /api/v1/models/model bearing model IDs not owned by the requesting user; cross-reference against group membership tables to identify unauthorized reads that may have already occurred. 5. Compensating control: If immediate patching is blocked, place the open-webui instance behind network controls limiting API access to trusted subnets.

What systems are affected by CVE-2026-45387?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, multi-user AI platforms, model serving, enterprise AI assistants.

What is the CVSS score for CVE-2026-45387?

CVE-2026-45387 has a CVSS v3.1 base score of 4.3 (MEDIUM).

Technical Details

NVD Description

### Summary When setting model permissions so that a group has read access to it, intending for other users to use it, those users also can read the model's system prompt. However users may consider their system prompt confidential, so we consider this a security issue. Compare https://genai.owasp.org/llmrisk/llm072025-system-prompt-leakage/ or prompt injections to get popular chatbots on the internet to reveal their prompt. ### Details We discovered that users can open the workspace model edit page /workspace/models/edit?id=notmymodel for models that do not appear in their workspace. Saving is not possible, that permission check is correct. On the API level: - ```/api/v1/models/model?id=notmymodel``` -> returns the model details, most importantly params.system - even though ```/api/v1/models/list``` does NOT contain the model since it checks for write permission. - ```/api/models``` contains the model correctly and does not reveal the system prompt. It seems inconsistent that the REST API list does not contain an item, but if you know the id, you can access it anyway. ### PoC - create model - give read permission to group with another user - other user can access ```/api/v1/models/model?id=notmymodel``` ### Impact System prommpt leakage If this is intended behavior for the "read" permission, maybe there should be an additional "use" permission (which would be 99% of use cases of the read permission i believe).

Exploitation Scenario

An attacker holds a legitimate account in an organization's open-webui instance and is a member of any group that has been granted read access to at least one model — a routine condition in team deployments. The attacker navigates to /workspace/models/edit to enumerate model IDs visible in the UI, even without write rights. They then issue a direct REST call: GET /api/v1/models/model?id=<target_model_id> with their session token. The response returns the full model configuration including params.system — the complete system prompt. The attacker reads the prompt to identify safety guardrails, persona constraints, or embedded secrets. Armed with this knowledge, they craft a targeted prompt injection that references and neutralizes the specific guardrails by name, or extracts embedded API credentials for lateral movement into integrated backend systems.