CVE-2026-45387 Overview
CVE-2026-45387 is an information disclosure vulnerability in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. The flaw affects all versions prior to 0.9.5. When an administrator grants a group read access to a model so members can use it, those users can also read the model's system prompt. Operators frequently treat system prompts as confidential intellectual property because they may contain proprietary instructions, business logic, or sensitive context. The vulnerability is tracked under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor and is fixed in version 0.9.5.
Critical Impact
Authenticated users with model read permissions can extract confidential system prompts, exposing proprietary instructions and embedded business logic to unauthorized parties.
Affected Products
- Open WebUI versions prior to 0.9.5
- Self-hosted Open WebUI deployments using group-based model permissions
- Multi-tenant Open WebUI environments where system prompts contain confidential content
Discovery Timeline
- 2026-05-15 - CVE-2026-45387 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45387
Vulnerability Analysis
The vulnerability resides in Open WebUI's model permission model. Administrators can assign groups read access so members can invoke a model for inference. The expected behavior is that read access permits use of the model but does not expose the underlying configuration. The actual behavior exposes the system prompt field alongside other model metadata when permission checks resolve.
Operators commonly embed sensitive content in system prompts. Examples include proprietary task instructions, retrieval-augmented context, internal policy text, and customer-specific tuning. When the platform returns this field to every user with read access, it breaks the confidentiality boundary that administrators assumed existed between "use" and "view configuration."
The vulnerability requires authentication and a valid permission grant, which limits the attack population to legitimate platform users. It does not enable code execution, data tampering, or service disruption.
Root Cause
The root cause is missing access control granularity. The permission layer treats model metadata as a single object rather than distinguishing between fields needed for inference and fields that constitute configuration. Read access intended for usage inadvertently grants visibility into the system_prompt attribute.
Attack Vector
An authenticated user belonging to a group with model read permission queries the model details endpoint or inspects model metadata exposed in the user interface. The response includes the system prompt content. No special tooling, privilege escalation, or social engineering is required. Refer to the GitHub Security Advisory GHSA-h2cw-7qw9-56xr for vendor details.
Detection Methods for CVE-2026-45387
Indicators of Compromise
- Unexpected API calls to model detail or model configuration endpoints from low-privilege user accounts
- User accounts retrieving model metadata for models they have not previously invoked
- Anomalous volume of model enumeration requests originating from a single authenticated session
Detection Strategies
- Audit Open WebUI access logs for repeated reads of model metadata endpoints by non-administrative users
- Compare the Open WebUI server version reported by the deployment against the fixed release 0.9.5 to identify exposed instances
- Review group membership and model permission assignments to identify models whose system prompts contain confidential content and are shared via group read access
Monitoring Recommendations
- Forward Open WebUI application logs to a centralized logging or SIEM platform for correlation with identity events
- Alert on bulk enumeration of model configuration endpoints by individual user tokens
- Track changes to model permission assignments and notify administrators when sensitive models gain new group readers
How to Mitigate CVE-2026-45387
Immediate Actions Required
- Upgrade Open WebUI to version 0.9.5 or later across all self-hosted deployments
- Inventory existing models and identify any whose system prompts contain confidential or proprietary content
- Rotate or sanitize system prompts that may have been exposed to unintended users prior to patching
Patch Information
The vendor released a fix in Open WebUI 0.9.5. The patch enforces stricter access control on the system prompt field so users with model read access can invoke the model without retrieving its underlying configuration. Patch details are documented in the Open WebUI Security Advisory GHSA-h2cw-7qw9-56xr.
Workarounds
- Remove confidential content from system prompts on vulnerable versions until the upgrade is applied
- Restrict model group permissions to trusted users only, reducing the population that can read exposed prompts
- Move sensitive instructions out of the system prompt and into server-side prompt assembly logic that is not returned to clients
# Upgrade Open WebUI container to the fixed release
docker pull ghcr.io/open-webui/open-webui:0.9.5
docker stop open-webui
docker rm open-webui
docker run -d \
--name open-webui \
-p 3000:8080 \
-v open-webui:/app/backend/data \
ghcr.io/open-webui/open-webui:0.9.5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
