CVE-2026-45666 Overview
CVE-2026-45666 is an authorization flaw in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. The /api/v1/notes/{note_id} endpoint fails to verify note ownership before returning data. Any authenticated user can retrieve notes belonging to other users by supplying or enumerating universally unique identifiers (UUIDs). The issue is tracked as [CWE-639: Authorization Bypass Through User-Controlled Key] and affects all versions prior to 0.8.11. The maintainers fixed the flaw in release 0.8.11.
Critical Impact
Authenticated users can read arbitrary notes belonging to other accounts, exposing potentially sensitive prompts, conversations, and private data stored in the Open WebUI notes feature.
Affected Products
- Open WebUI versions prior to 0.8.11
- Self-hosted Open WebUI deployments with multi-user access enabled
- Open WebUI instances exposing the /api/v1/notes/{note_id} endpoint
Discovery Timeline
- 2026-05-15 - CVE-2026-45666 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45666
Vulnerability Analysis
The vulnerability resides in the Open WebUI notes API. When a client issues a GET request to /api/v1/notes/{note_id}, the handler authenticates the session but never confirms that the supplied note_id belongs to the requesting user. An attacker holding any valid account credential can request notes owned by other users.
Note identifiers are UUIDs, which provide unpredictability but not authorization. An attacker who obtains a UUID through logging, referrer leakage, shared links, or systematic enumeration can read the corresponding note. The flaw exposes confidentiality without affecting integrity or availability, since the endpoint serves read operations.
Open WebUI is commonly deployed as an interface to local large language models. Notes often contain proprietary prompts, API keys pasted into conversations, business context, and other private content. Cross-tenant access in shared corporate or community deployments amplifies the impact.
Root Cause
The handler implements authentication but omits an ownership check between the session principal and the note record. This is a textbook Insecure Direct Object Reference (IDOR) pattern classified under [CWE-639]. The fix in version 0.8.11 introduces the missing authorization comparison.
Attack Vector
Exploitation requires network access to the Open WebUI instance and a valid low-privilege account. The attacker iterates or harvests UUID values and issues authenticated GET requests against /api/v1/notes/{note_id}. No user interaction or elevated privilege is needed. The vulnerability mechanism is described in the Open WebUI GHSA-x3qm-p8hr-3c3h advisory.
Detection Methods for CVE-2026-45666
Indicators of Compromise
- High-volume GET requests to /api/v1/notes/{note_id} from a single authenticated session targeting many distinct UUIDs.
- Access patterns where one user account retrieves notes whose owner ID does not match the session user ID in application logs.
- Sequential or scripted UUID guessing attempts producing HTTP 200 responses for notes the requester did not create.
Detection Strategies
- Correlate Open WebUI application logs against the database to flag note retrievals where requesting_user_id != note.owner_id.
- Implement rate-based alerting on /api/v1/notes/{note_id} requests per session within short time windows.
- Review reverse proxy or web application firewall (WAF) logs for enumeration signatures against the notes endpoint.
Monitoring Recommendations
- Enable verbose audit logging on the Open WebUI API tier and forward events to a centralized logging platform.
- Track per-user note read counts and alert on statistical outliers compared to baseline behavior.
- Monitor authentication events for newly created accounts immediately followed by elevated API activity, which can indicate opportunistic abuse.
How to Mitigate CVE-2026-45666
Immediate Actions Required
- Upgrade all Open WebUI instances to version 0.8.11 or later without delay.
- Audit existing notes for sensitive content and rotate any credentials or secrets that may have been stored in notes.
- Review user account inventories and disable inactive or unknown accounts that could be used for authenticated enumeration.
Patch Information
The vulnerability is fixed in Open WebUI 0.8.11. Release details and the corrective authorization check are documented in the GitHub Security Advisory GHSA-x3qm-p8hr-3c3h. Administrators should pull the updated container image or package and restart the service.
Workarounds
- Restrict Open WebUI access to trusted networks using a reverse proxy access control list until the patch is applied.
- Temporarily disable the notes feature or limit it to single-user deployments where cross-tenant exposure is not a concern.
- Enforce strong account provisioning controls and disable open user registration to reduce the population of accounts that can reach the vulnerable endpoint.
# Upgrade Open WebUI container to the patched release
docker pull ghcr.io/open-webui/open-webui:0.8.11
docker stop open-webui && docker rm open-webui
docker run -d --name open-webui \
-p 3000:8080 \
-v open-webui:/app/backend/data \
ghcr.io/open-webui/open-webui:0.8.11
# Verify the running version
curl -s http://localhost:3000/api/version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
