CVE-2026-45351 Overview
CVE-2026-45351 is an information disclosure vulnerability in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. Versions prior to 0.8.9 expose system prompts configured by administrators to regular non-admin users. When a non-admin user logs into the application, the client issues a request to /api/models? on port 8080, and the server response includes the system prompts defined for available models on the workspace models page. The flaw affects the confidentiality of the application by leaking administrator-defined model instructions to lower-privileged accounts. The issue is fixed in Open WebUI 0.8.9 [CWE-200].
Critical Impact
Authenticated non-admin users can retrieve administrator-defined model system prompts, exposing sensitive instructions, internal logic, or embedded secrets configured in workspace models.
Affected Products
- Open WebUI versions prior to 0.8.9
- Self-hosted Open WebUI deployments exposing /api/models? on port 8080
- Multi-tenant Open WebUI workspaces with administrator-configured model system prompts
Discovery Timeline
- 2026-05-15 - CVE-2026-45351 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-45351
Vulnerability Analysis
Open WebUI allows administrators to configure system prompts for available models through the workspace models page. These prompts often contain proprietary instructions, role definitions, guardrails, or contextual data intended to remain hidden from end users. The vulnerability stems from the /api/models? endpoint returning the full model object, including the system prompt field, to any authenticated user regardless of role.
When a regular user logs in, the front-end issues an HTTP GET request to http://IP:8080/api/models? to populate the model selector. The server response includes administrator-defined configuration that should be restricted to admin roles. This breaks the confidentiality boundary between administrative configuration and standard user access.
The vulnerability is classified under [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor. Exploitation requires only valid low-privileged credentials and produces no integrity or availability impact.
Root Cause
The /api/models? endpoint does not filter sensitive administrator-controlled fields, such as system prompts, before returning model metadata to non-admin callers. The API performs authentication but omits role-based field-level authorization on the response payload.
Attack Vector
The attack vector is network-based and requires low-privileged authenticated access. An attacker with any valid Open WebUI account can issue a single authenticated HTTP GET request to /api/models? and parse the returned JSON to extract the system prompt fields for each configured model. No user interaction or elevated privileges are required.
No verified exploit code is published. See the GitHub Security Advisory GHSA-jh9g-8jqw-m2qx for vendor technical details.
Detection Methods for CVE-2026-45351
Indicators of Compromise
- Repeated authenticated GET requests to /api/models? from non-admin user sessions.
- HTTP 200 responses from /api/models? containing populated system prompt fields delivered to standard user accounts.
- Unusual scripting or automated user-agents querying the models API outside of normal UI workflows.
Detection Strategies
- Review Open WebUI reverse proxy access logs for /api/models? requests correlated to non-admin session tokens.
- Compare response sizes for /api/models? between admin and non-admin sessions to identify unexpected payload exposure.
- Inspect application audit logs for enumeration patterns where a single user account retrieves model metadata at high frequency.
Monitoring Recommendations
- Enable verbose HTTP access logging on the reverse proxy fronting Open WebUI to capture endpoint, user identifier, and response size.
- Alert on access to /api/models? from accounts that have never used the chat interface or models page in the UI.
- Forward Open WebUI container logs to a centralized log platform for retention and correlation with identity events.
How to Mitigate CVE-2026-45351
Immediate Actions Required
- Upgrade Open WebUI to version 0.8.9 or later on all self-hosted deployments.
- Audit existing model system prompts and rotate any embedded secrets, API keys, or sensitive instructions exposed prior to patching.
- Restrict network access to the Open WebUI instance to trusted users only while patching is in progress.
Patch Information
Open WebUI version 0.8.9 resolves CVE-2026-45351 by preventing the /api/models? endpoint from exposing administrator-defined system prompts to non-admin users. Refer to the Open WebUI Security Advisory GHSA-jh9g-8jqw-m2qx for fix details and upgrade guidance.
Workarounds
- Remove sensitive content from model system prompts on the workspace models page until the upgrade to 0.8.9 is complete.
- Limit user account creation and disable self-registration to reduce the population of non-admin accounts that can query the API.
- Place Open WebUI behind a reverse proxy enforcing role-aware access controls on the /api/models? path where feasible.
# Configuration example: upgrade Open WebUI container to patched version
docker pull ghcr.io/open-webui/open-webui:0.8.9
docker stop open-webui
docker rm open-webui
docker run -d \
--name open-webui \
-p 8080:8080 \
-v open-webui:/app/backend/data \
--restart always \
ghcr.io/open-webui/open-webui:0.8.9
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
