CVE-2026-45349 Overview
CVE-2026-45349 is an authorization bypass vulnerability in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. The flaw resides in the /api/chat/completions endpoint and affects all versions prior to 0.9.0. An authenticated user can supply another user's Chat ID along with their own valid API key to continue a conversation that belongs to a different account. The issue is classified as Authorization Through User-Controlled Key [CWE-639] and enables horizontal privilege escalation across user accounts. Open WebUI released a fix in version 0.9.0.
Critical Impact
Any authenticated Open WebUI user can read and extend the private chat histories of other users by referencing a target Chat ID through the chat completions API.
Affected Products
- Open WebUI versions prior to 0.9.0
- Self-hosted Open WebUI deployments exposing /api/chat/completions
- Multi-tenant Open WebUI instances with more than one registered user
Discovery Timeline
- 2026-05-15 - CVE-2026-45349 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45349
Vulnerability Analysis
The vulnerability is an Insecure Direct Object Reference (IDOR) in the Open WebUI chat completions API. The endpoint /api/chat/completions accepts a Chat ID parameter that references a stored conversation. The backend authenticates the request using the caller's API key but does not verify that the authenticated user actually owns the referenced Chat ID. As a result, the conversation owner check is missing from the authorization path. An attacker who learns or guesses a target Chat ID can append messages to that conversation and receive model responses that include prior turn history.
The disclosed information may include prompts, responses, uploaded document context, and any sensitive content the original user shared with the model. Because Open WebUI is frequently deployed in research, enterprise, and offline AI scenarios, exposed chats can contain proprietary data, credentials, or internal documentation.
Root Cause
The root cause is a missing ownership check between the authenticated principal and the requested resource. The handler trusts the user-supplied Chat ID as an authorization boundary instead of validating it against the session identity. This pattern matches [CWE-639] Authorization Bypass Through User-Controlled Key.
Attack Vector
Exploitation requires network access to the Open WebUI API and a valid account on the target instance. The attacker generates an API key from their own account settings, then issues an HTTP request to /api/chat/completions containing a target user's Chat ID. No user interaction from the victim is required. Chat IDs may be obtained through prior access, log leakage, predictable identifiers, or social context. See the GitHub Security Advisory GHSA-gfm2-xm6c-37qc for technical details.
Detection Methods for CVE-2026-45349
Indicators of Compromise
- Requests to /api/chat/completions where the API key owner does not match the owning user of the supplied Chat ID.
- Bursts of chat completion requests from a single API key referencing many distinct Chat IDs in a short window.
- Application logs showing successful completions for Chat IDs that were never created by the calling account.
Detection Strategies
- Enable verbose request logging on the Open WebUI reverse proxy and correlate user_id from the API key with the chat_id parameter in each request body.
- Build an analytic that flags any request where the resolved chat owner differs from the authenticated caller.
- Review historical access logs for patterns of Chat ID enumeration or sequential ID probing.
Monitoring Recommendations
- Forward Open WebUI application and proxy logs to a centralized logging or SIEM platform for retention and search.
- Alert on accounts that access an unusually high number of distinct Chat IDs relative to baseline.
- Monitor outbound API key creation events and tie them to subsequent chat completion activity for anomaly review.
How to Mitigate CVE-2026-45349
Immediate Actions Required
- Upgrade all Open WebUI instances to version 0.9.0 or later, where the ownership check is enforced.
- Rotate any API keys generated before the upgrade, since they may have been used to access other users' chats.
- Audit chat histories for unexpected message entries that may indicate exploitation prior to patching.
Patch Information
Open WebUI maintainers fixed the issue in version 0.9.0. The patch enforces a server-side ownership check that validates the authenticated user against the requested Chat ID before serving completions. Refer to the Open WebUI Security Advisory GHSA-gfm2-xm6c-37qc for the official remediation guidance.
Workarounds
- Restrict Open WebUI access to trusted users only and disable open self-registration until the upgrade is applied.
- Place the API behind an authenticating reverse proxy that enforces per-user access policies on /api/chat/completions.
- Disable or revoke unused API keys to reduce the attack surface available to internal users.
# Upgrade Open WebUI container to the patched release
docker pull ghcr.io/open-webui/open-webui:0.9.0
docker stop open-webui && docker rm open-webui
docker run -d --name open-webui -p 3000:8080 \
-v open-webui:/app/backend/data \
ghcr.io/open-webui/open-webui:0.9.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
