Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54015

CVE-2026-54015: Open WebUI Auth Bypass Vulnerability

CVE-2026-54015 is an authentication bypass flaw in Open WebUI that allows authenticated users to read or delete private prompt history of other users. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-54015 Overview

CVE-2026-54015 is a broken access control vulnerability [CWE-284] in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. The flaw affects all versions prior to 0.9.6. The prompt version-history endpoints authorize the prompt_id in the URL but then operate on caller-supplied history IDs without verifying that the history row belongs to that prompt. An authenticated user can read or delete another user's private prompt history by supplying a victim prompt_history.id while referencing a prompt they control.

Critical Impact

Authenticated attackers can access or destroy other users' private prompt history data across multi-tenant Open WebUI deployments.

Affected Products

  • Open WebUI versions prior to 0.9.6
  • Endpoint: /api/v1/prompts/id/{prompt_id}/history/diff
  • Endpoint: /api/v1/prompts/id/{prompt_id}/update/version
  • Endpoint: /api/v1/prompts/id/{prompt_id}/history/{history_id}

Discovery Timeline

  • 2026-06-23 - CVE-2026-54015 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-54015

Vulnerability Analysis

The vulnerability stems from incomplete authorization logic in Open WebUI's prompt version-history endpoints. The application verifies that the authenticated caller has access to the prompt referenced by prompt_id in the URL path. However, the same handlers then act on a separate history_id parameter without confirming that history_entry.prompt_id == prompt.id.

This decoupling allows cross-object reference. An attacker presents a prompt_id they legitimately own alongside a history_id belonging to a victim's prompt. The authorization check passes on the owned prompt, while the data operation targets the victim's history record.

Three endpoints exhibit this flaw. The history/diff endpoint exposes private content through read access. The update/version endpoint allows tampering with version state. The history/{history_id} DELETE endpoint enables destruction of another user's history rows.

Root Cause

The root cause is missing relational validation between two identifiers processed in the same request. The code trusts that a valid prompt_id authorization scope implies authorization over any referenced history_id. Proper enforcement requires querying the history record and confirming its parent prompt_id matches the authorized prompt before executing the action.

Attack Vector

Exploitation requires network access to the Open WebUI API and an authenticated session. The attacker must own or control at least one prompt and must know or enumerate a target prompt_history.id. History IDs are typically integer or UUID identifiers, making targeted attacks more practical than blind enumeration in some deployments.

No verified public proof-of-concept code is available. See the GitHub Security Advisory GHSA-4r4w-2wgp-w7cj for vendor technical details.

Detection Methods for CVE-2026-54015

Indicators of Compromise

  • Requests to /api/v1/prompts/id/{prompt_id}/history/* where the responding history record's owner differs from the authenticated user.
  • Unexpected DELETE requests against /api/v1/prompts/id/{prompt_id}/history/{history_id} from non-administrative accounts.
  • User reports of missing or modified prompt version history without corresponding owner activity.

Detection Strategies

  • Enable verbose API access logging on the Open WebUI backend and correlate prompt_id and history_id pairs against database ownership records.
  • Alert on high-frequency access to the history/diff endpoint from a single authenticated session.
  • Review application logs for sequential or scripted access patterns targeting incrementing history_id values.

Monitoring Recommendations

  • Forward Open WebUI reverse proxy and application logs to a centralized analytics platform for retrospective queries.
  • Establish baselines for normal prompt history API usage per user and flag deviations.
  • Monitor for unauthenticated reconnaissance attempts against /api/v1/prompts/ paths preceding authenticated abuse.

How to Mitigate CVE-2026-54015

Immediate Actions Required

  • Upgrade Open WebUI to version 0.9.6 or later, which contains the authorization fix.
  • Audit prompt history tables for unauthorized deletions or modifications since the deployment was first exposed.
  • Rotate or invalidate active user sessions after upgrading to remove any in-flight abuse.

Patch Information

The vulnerability is fixed in Open WebUI 0.9.6. The patch adds verification that history_entry.prompt_id == prompt.id before any read, update, or delete action is performed on a history record. Refer to the GitHub Security Advisory for upstream commit references.

Workarounds

  • Restrict Open WebUI access to trusted users only until the upgrade can be applied.
  • Place the application behind an authenticating reverse proxy with per-user rate limiting on /api/v1/prompts/ routes.
  • Temporarily disable shared or multi-tenant prompt workflows to reduce exposure of victim history IDs.
bash
# Upgrade Open WebUI via pip
pip install --upgrade open-webui>=0.9.6

# Or upgrade the official Docker image
docker pull ghcr.io/open-webui/open-webui:0.9.6
docker stop open-webui && docker rm open-webui
docker run -d --name open-webui \
  -p 3000:8080 \
  -v open-webui:/app/backend/data \
  ghcr.io/open-webui/open-webui:0.9.6

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.