QSearchQSearch

CVE-2026-45666

6.5 MEDIUM

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline

Published: 2026-05-15 · Last updated: 2026-05-19

Severity and scoring

CVSS
6.5 MEDIUM
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE
CWE-639

Affected products

VendorProduct
openwebuiopen_webui

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, the API /api/v1/notes/{note_id} endpoint lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or enumerating UUIDs. This results in unauthorized disclosure of potentially sensitive or private user data. This vulnerability is fixed in 0.8.11.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-45667 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline (6.5 MEDIUM)
  • CVE-2026-45665 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline (8.1 HIGH)
  • CVE-2026-45365 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline (5.4 MEDIUM)
  • CVE-2026-45351 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline (6.5 MEDIUM)
  • CVE-2026-45350 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline (7.1 HIGH)

Same CWE

  • CVE-2026-53675 BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attack... (4.3 MEDIUM)
  • CVE-2026-53673 BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers... (8.1 HIGH)
  • CVE-2026-6444 A flaw exists in the FlashArray Purity management interface where an authenticated low-privileged user may, under specific conditions, ac...
  • CVE-2026-44083 An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie
  • CVE-2026-9185 The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and inc... (7.5 HIGH)