CVE-2026-45666 — MEDIUM (CVSS 6.5)

Q: Is CVE-2026-45666 actively exploited?

No confirmed active exploitation of CVE-2026-45666 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-45666?

1. PATCH: Upgrade open-webui to v0.8.11 or later immediately — this is the only complete fix. 2. DETECT: Review access logs for high-frequency or sequential requests to GET /api/v1/notes/{id} from a single authenticated session; UUID enumeration typically shows patterned or random ID variation with a single source token. 3. INTERIM CONTROL: If patching is delayed, restrict network-level access to the Open-WebUI API to trusted internal segments to limit the attacker pool to internal accounts only. 4. AUDIT: Examine existing notes for sensitive content (credentials, PII, proprietary configs) that may have been exposed; treat any multi-user instance on <= 0.8.10 as potentially compromised for the notes feature. 5. NOTIFY: If your instance is regulated (healthcare, finance, public sector), assess whether a data breach notification obligation is triggered by the potential cross-user note exposure.

Q: What systems are affected by CVE-2026-45666?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, self-hosted AI productivity platforms, enterprise local LLM deployments, multi-user AI sandboxes.

Q: What is the CVSS score for CVE-2026-45666?

CVE-2026-45666 has a CVSS v3.1 base score of 6.5 (MEDIUM).

CISO Take

Open-WebUI versions up to 0.8.10 contain an Insecure Direct Object Reference (IDOR) flaw in the notes API — any authenticated user can read another user's private notes simply by cycling through UUID-formatted note IDs with no authorization check on the server side. In enterprise or team deployments of Open-WebUI (a popular frontend for local LLM serving), notes frequently contain sensitive system prompts, proprietary configurations, internal business data, or credentials, making the real business impact substantially higher than the CVSS 6.5 score implies. A secondary design flaw compounds the risk: even when administrators disable the Notes feature via settings, a logged-in attacker can re-enable it client-side by intercepting the /api/config response, meaning the disabling control provides no meaningful defense. Upgrade immediately to open-webui v0.8.11, which enforces server-side ownership checks on all note endpoints; there is no safe workaround on earlier versions.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

CVSS 6.5 (Medium) understates business risk in multi-user enterprise deployments. The attack requires only a valid account (Privileges Required: Low), has no complexity barrier (Attack Complexity: Low), and needs no user interaction — trivially scriptable. Confidentiality Impact is rated HIGH in the CVSS vector, correctly reflecting that all notes across the instance are accessible. The administrative disable-bypass via /api/config manipulation eliminates a natural compensating control. With 91 prior CVEs in open-webui, this package has a documented pattern of security weaknesses. No public exploit code or Nuclei template exists yet, and no CISA KEV listing, but the low skill floor means exploitation is realistic shortly after this advisory becomes widely known.

Attack Kill Chain

Initial Access

Attacker authenticates to Open-WebUI with any valid low-privilege account — contractor, trial user, or compromised credential.

AML.T0012

Feature Bypass

If Notes is administratively disabled, attacker intercepts the /api/config response via browser DevTools or proxy and flips 'enable_notes' to true client-side, surfacing the hidden Notes UI.

AML.T0049

IDOR Enumeration

Attacker captures a sample note_id UUID from their own session, then scripts sequential or randomized GET /api/v1/notes/{id} requests to enumerate notes belonging to other users — the server performs no ownership check.

AML.T0006

Data Exfiltration

Every 200 response returns another user's private note content — potentially including system prompts, pasted credentials, PII, or confidential business data — exfiltrated silently with no server-side audit trail distinguishing this from normal note access.

AML.T0085

Initial Access

Attacker authenticates to Open-WebUI with any valid low-privilege account — contractor, trial user, or compromised credential.

AML.T0012

Feature Bypass

If Notes is administratively disabled, attacker intercepts the /api/config response via browser DevTools or proxy and flips 'enable_notes' to true client-side, surfacing the hidden Notes UI.

AML.T0049

IDOR Enumeration

Attacker captures a sample note_id UUID from their own session, then scripts sequential or randomized GET /api/v1/notes/{id} requests to enumerate notes belonging to other users — the server performs no ownership check.

AML.T0006

Data Exfiltration

Every 200 response returns another user's private note content — potentially including system prompts, pasted credentials, PII, or confidential business data — exfiltrated silently with no server-side audit trail distinguishing this from normal note access.

AML.T0085

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
open-webui	pip	<= 0.8.10	`0.8.11`
136.3K Pushed 5d ago 75% patched ~4d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

What should I do?

5 steps

PATCH

Upgrade open-webui to v0.8.11 or later immediately — this is the only complete fix.
DETECT

Review access logs for high-frequency or sequential requests to GET /api/v1/notes/{id} from a single authenticated session; UUID enumeration typically shows patterned or random ID variation with a single source token.
INTERIM CONTROL

If patching is delayed, restrict network-level access to the Open-WebUI API to trusted internal segments to limit the attacker pool to internal accounts only.
AUDIT

Examine existing notes for sensitive content (credentials, PII, proprietary configs) that may have been exposed; treat any multi-user instance on <= 0.8.10 as potentially compromised for the notes feature.
NOTIFY

If your instance is regulated (healthcare, finance, public sector), assess whether a data breach notification obligation is triggered by the potential cross-user note exposure.

Classification

Auth Bypass Data Extraction Privacy Violation API Framework AML.T0006 - Active Scanning AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0085 - Data from AI Services

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.3 - Access control to AI systems and data

NIST AI RMF

GOVERN 6.1 - Policies and procedures are in place for defining and categorizing AI risks

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-45666?

Open-WebUI versions up to 0.8.10 contain an Insecure Direct Object Reference (IDOR) flaw in the notes API — any authenticated user can read another user's private notes simply by cycling through UUID-formatted note IDs with no authorization check on the server side. In enterprise or team deployments of Open-WebUI (a popular frontend for local LLM serving), notes frequently contain sensitive system prompts, proprietary configurations, internal business data, or credentials, making the real business impact substantially higher than the CVSS 6.5 score implies. A secondary design flaw compounds the risk: even when administrators disable the Notes feature via settings, a logged-in attacker can re-enable it client-side by intercepting the /api/config response, meaning the disabling control provides no meaningful defense. Upgrade immediately to open-webui v0.8.11, which enforces server-side ownership checks on all note endpoints; there is no safe workaround on earlier versions.

Is CVE-2026-45666 actively exploited?

No confirmed active exploitation of CVE-2026-45666 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45666?

1. PATCH: Upgrade open-webui to v0.8.11 or later immediately — this is the only complete fix. 2. DETECT: Review access logs for high-frequency or sequential requests to GET /api/v1/notes/{id} from a single authenticated session; UUID enumeration typically shows patterned or random ID variation with a single source token. 3. INTERIM CONTROL: If patching is delayed, restrict network-level access to the Open-WebUI API to trusted internal segments to limit the attacker pool to internal accounts only. 4. AUDIT: Examine existing notes for sensitive content (credentials, PII, proprietary configs) that may have been exposed; treat any multi-user instance on <= 0.8.10 as potentially compromised for the notes feature. 5. NOTIFY: If your instance is regulated (healthcare, finance, public sector), assess whether a data breach notification obligation is triggered by the potential cross-user note exposure.

What systems are affected by CVE-2026-45666?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, self-hosted AI productivity platforms, enterprise local LLM deployments, multi-user AI sandboxes.

What is the CVSS score for CVE-2026-45666?

CVE-2026-45666 has a CVSS v3.1 base score of 6.5 (MEDIUM).

Technical Details

NVD Description

### Summary The API /api/v1/notes/{note_id} endpoint lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or enumerating UUIDs. This results in unauthorized disclosure of potentially sensitive or private user data. ### Details - if notes is enabled from UI (Settings >> General >> Features >> Notes (Beta)) - From API, attacker can access other user notes - if notes is disabled from UI (Settings >> General >> Features >> Notes (Beta)) - Then attacker can enable the notes from /api/config and access other user notes ### PoC - Step 1: Log in to the application as a valid user (User A). ![image](https://github.com/user-attachments/assets/3c4625f9-6e51-4cd1-942e-6a3f467520c0) - Step 2: Intercept or inspect the response from the endpoint GET /api/config. ![image](https://github.com/user-attachments/assets/7c4fe716-314c-4640-bc9f-1e11ddc2273d) - Step 3: Observe the field "enable_notes": false in the JSON response. - Step 4: Manually change "enable_notes" to true using browser DevTools or by intercepting and modifying the response via a proxy like Burp Suite. (Please note, the occurrence of this API comes twice, hence modification needs to be made twice as well.) ![image](https://github.com/user-attachments/assets/99575570-a673-4508-b149-9a2480d8f62e) - Step 5: Observe the loaded frontend application; the previously hidden notes form will now be visible. ![image](https://github.com/user-attachments/assets/a4059b1f-2e77-4f29-88a3-431e82b7c41d) ![image](https://github.com/user-attachments/assets/55e601d7-b013-43e3-a070-3a80f166e777) - Step 6: Again, click on any note, intercept the request, and Replace the note_id in the URL with a different note ID known to belong to another user (e.g., by guessing or bruteforcing). - Step 7: Send the modified request while remaining logged in as User A. - Step 8: Observe that the server returns the content of another user's note, confirming unauthorized access. ![image](https://github.com/user-attachments/assets/cbec4ab5-a8a8-488a-a984-03e8de5b22f7) ![image](https://github.com/user-attachments/assets/046cd925-7299-44ba-bfc3-d6e7071d29d1) ### Impact 1. Unauthorized access to user-created notes 2. Possible exposure of confidential or sensitive uploaded data 3. Violation of user privacy and data isolation 4. High risk of legal or compliance breaches in regulated environments ## Resolution Fixed in commit [de3317e26](https://github.com/open-webui/open-webui/commit/de3317e26bb67a2a7ea015a183bbd1d369880ebd), first released in **v0.8.11** (Mar 2026). All per-id note endpoints (`GET /api/v1/notes/{id}`, `POST /api/v1/notes/{id}/update`, `POST /api/v1/notes/{id}/access/update`, deletion) now enforce ownership: the handler fetches the note, then requires the caller to be admin, the note owner, or have an `AccessGrants` grant for the appropriate permission (`read` for retrieval, `write` for mutation). A non-owner with no grant receives 403. Users on `>= 0.8.11` are not affected.

Exploitation Scenario

An attacker with a low-privilege Open-WebUI account — for example, a contractor, intern, or external researcher with trial access — first checks /api/config via the browser developer tools and observes 'enable_notes': false. They intercept the config response with Burp Suite, flip the flag to true, and the Notes UI becomes visible in their session. They then click any note link in their own session to capture a sample UUID-formatted note_id from the GET /api/v1/notes/{id} request. From there, a simple script iterates through UUID variants (or uses knowledge of a target user's ID range) sending authenticated GET requests; each request that returns 200 instead of 403 reveals another user's private note. Across a 500-user enterprise instance, an attacker could exfiltrate the entire notes corpus within minutes, harvesting system prompt designs, pasted API keys, or confidential business data with no server-side resistance.