CVE-2026-54006

Source
https://cve.org/CVERecord?id=CVE-2026-54006
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54006.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54006
Aliases
Published
2026-06-23T16:50:44.406Z
Modified
2026-07-15T01:49:14.758159332Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Open WebUI: Calendar event re-parenting allows writing events into another user's calendar
Details

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/v1/calendars/events/{eventid}/update validates that the caller has write access to the calendar the event currently belongs to, but does not validate the destination calendarid supplied in the request body. The model layer then persists the new calendarid unconditionally. A regular user-role account can therefore create an event in their own calendar and immediately move it into any other user's calendar whose ID they know — bypassing the authorization check that createevent correctly performs. This vulnerability is fixed in 0.9.6.

Database specific
{
    "cwe_ids": [
        "CWE-639"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54006.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/open-webui/open-webui

Affected ranges

Type
GIT
Repo
https://github.com/open-webui/open-webui
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.9.6"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54006.json"