Open WebUI AI Platform Vulnerability in User Conversation Handling
CVE-2026-45349

7.1HIGH

Key Information:

Vendor: Open-webui
Status: Open-webui
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-45349?

Open WebUI, a self-hosted platform designed for offline artificial intelligence operations, is vulnerable due to an improper access control issue. Users could exploit an API endpoint to access and continue conversations of other users by using their own API keys and the Chat ID of those users before the issue was resolved in version 0.9.0. This flaw raises significant privacy and security concerns, emphasizing the need for robust access controls in user interaction functionalities.

Affected Version(s)

open-webui < 0.9.0

References

https://github.com/open-webui/open-webui/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 11, 2026

CVE-2026-45349 Data

JSON

Open-webui

What is CVE-2026-45349?

Affected Version(s)

References

CVSS V3.1

Timeline