CVE-2026-45386 Overview
CVE-2026-45386 is an authorization flaw in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. The vulnerability exists in the pin/unpin functionality of standard channels. Prior to version 0.9.5, the platform validates only read permissions before allowing a pin or unpin operation. This permits users with read-only access to modify the is_pinned, pinned_by, and pinned_at fields on any message. The flaw is categorized under CWE-639 (Authorization Bypass Through User-Controlled Key). Open WebUI released a fix in version 0.9.5.
Critical Impact
Authenticated users with read-only access can modify message metadata in channels, undermining channel integrity and audit trails.
Affected Products
- Open WebUI versions prior to 0.9.5
- Self-hosted Open WebUI deployments using standard channels
- Open WebUI instances with multi-user role-based access control enabled
Discovery Timeline
- 2026-05-15 - CVE-2026-45386 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45386
Vulnerability Analysis
The vulnerability is a broken access control issue in Open WebUI's channel message handling. Pin and unpin actions are write operations because they alter persisted message fields. The affected code path checks only read permission when invoked through standard channels. This permission mismatch allows lower-privileged users to perform a write action that should require channel moderation rights.
The affected fields include is_pinned (boolean state), pinned_by (user identifier), and pinned_at (timestamp). An attacker can pin arbitrary messages to alter the visible content hierarchy or unpin legitimate moderator-pinned messages. Because the operation also writes the attacker's identifier into pinned_by, audit records may misattribute the action source.
Root Cause
The root cause is inconsistent permission enforcement between read and write operations on the same resource. The endpoint serving pin/unpin requests reuses a read-permission check rather than enforcing a separate write or moderation permission. This is a classic [CWE-639] authorization weakness where the access control function does not match the sensitivity of the operation.
Attack Vector
Exploitation requires network access to the Open WebUI instance and valid authenticated credentials with read access to a standard channel. The attacker sends a pin or unpin API request targeting a message identifier in a channel they can view. The server processes the request without verifying write or moderation permissions, applies the change, and persists the modified fields. No user interaction from the legitimate owner or moderator is required.
No public proof-of-concept exploit is available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Open WebUI GitHub Security Advisory for vendor details.
Detection Methods for CVE-2026-45386
Indicators of Compromise
- Unexpected changes to the is_pinned, pinned_by, or pinned_at fields on channel messages
- Pin or unpin events in application logs originating from accounts without moderator roles
- Messages pinned outside of normal moderator working hours or in bulk
- API requests to pin/unpin endpoints from accounts that have only read access to the target channel
Detection Strategies
- Query the Open WebUI database for messages where pinned_by references an account that lacks channel moderation privileges
- Correlate authenticated session activity against pin/unpin endpoint access in reverse proxy or application logs
- Alert on anomalous spikes in pin-state modifications across channels within short time windows
Monitoring Recommendations
- Forward Open WebUI application logs to a centralized logging platform for retention and analysis
- Monitor HTTP request patterns to channel message endpoints, particularly write actions from read-only role accounts
- Track Open WebUI version inventory across self-hosted deployments to identify hosts still running versions earlier than 0.9.5
How to Mitigate CVE-2026-45386
Immediate Actions Required
- Upgrade all Open WebUI instances to version 0.9.5 or later
- Audit channel message pin states and revert unauthorized changes identified during review
- Review role assignments and remove unnecessary channel access for users who do not require it
- Rotate API tokens and session credentials if unauthorized pin activity is confirmed
Patch Information
Open WebUI fixed CVE-2026-45386 in version 0.9.5. The fix enforces write-level permission validation on the pin and unpin code paths in standard channels. Administrators should pull the updated container image or release artifact and redeploy. Refer to the GHSA-5gc6-xhv4-2wg6 advisory for full release notes.
Workarounds
- Restrict access to standard channels to trusted users only until the upgrade is applied
- Place the Open WebUI instance behind an authenticating reverse proxy and limit access to known administrators
- Disable or restrict the use of standard channels in multi-user deployments where role separation cannot be enforced
# Upgrade Open WebUI container to the patched release
docker pull ghcr.io/open-webui/open-webui:0.9.5
docker stop open-webui && docker rm open-webui
docker run -d --name open-webui \
-p 3000:8080 \
-v open-webui:/app/backend/data \
ghcr.io/open-webui/open-webui:0.9.5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
