GHSA-x3qm-p8hr-3c3h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-x3qm-p8hr-3c3h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-x3qm-p8hr-3c3h/GHSA-x3qm-p8hr-3c3h.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-x3qm-p8hr-3c3h
- Aliases
-
- CVE-2026-45666
- Published
- 2026-05-14T20:27:56Z
- Modified
- 2026-05-19T16:15:15.494623383Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Open WebUI has an Indirect Object Reference (IDOR) in user notes
- Details
-
Summary
The API /api/v1/notes/{note_id} endpoint lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or enumerating UUIDs. This results in unauthorized disclosure of potentially sensitive or private user data.
Details
- if notes is enabled from UI (Settings >> General >> Features >> Notes (Beta))
- From API, attacker can access other user notes
- if notes is disabled from UI (Settings >> General >> Features >> Notes (Beta))
- Then attacker can enable the notes from /api/config and access other user notes
PoC
Step 1: Log in to the application as a valid user (User A).
Step 2: Intercept or inspect the response from the endpoint GET /api/config.
Step 3: Observe the field "enable_notes": false in the JSON response.
Step 4: Manually change "enable_notes" to true using browser DevTools or by intercepting and modifying the response via a proxy like Burp Suite. (Please note, the occurrence of this API comes twice, hence modification needs to be made twice as well.)
Step 5: Observe the loaded frontend application; the previously hidden notes form will now be visible.
- Step 6: Again, click on any note, intercept the request, and Replace the note_id in the URL with a different note ID known to belong to another user (e.g., by guessing or bruteforcing).
- Step 7: Send the modified request while remaining logged in as User A.
- Step 8: Observe that the server returns the content of another user's note, confirming unauthorized access.
Impact
- Unauthorized access to user-created notes
- Possible exposure of confidential or sensitive uploaded data
- Violation of user privacy and data isolation
- High risk of legal or compliance breaches in regulated environments
Resolution
Fixed in commit de3317e26, first released in v0.8.11 (Mar 2026). All per-id note endpoints (
GET /api/v1/notes/{id},POST /api/v1/notes/{id}/update,POST /api/v1/notes/{id}/access/update, deletion) now enforce ownership: the handler fetches the note, then requires the caller to be admin, the note owner, or have anAccessGrantsgrant for the appropriate permission (readfor retrieval,writefor mutation). A non-owner with no grant receives 403.Users on
>= 0.8.11are not affected. - if notes is enabled from UI (Settings >> General >> Features >> Notes (Beta))
- Database specific
{ "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": "2026-05-15T22:16:56Z", "github_reviewed_at": "2026-05-14T20:27:56Z", "cwe_ids": [ "CWE-639" ] }- References
-
- https://github.com/open-webui/open-webui/security/advisories/GHSA-x3qm-p8hr-3c3h
- https://nvd.nist.gov/vuln/detail/CVE-2026-45666
- https://github.com/open-webui/open-webui/commit/de3317e26bb67a2a7ea015a183bbd1d369880ebd
- https://github.com/open-webui/open-webui
- https://github.com/open-webui/open-webui/releases/tag/v0.8.11
Affected packages
PyPI / open-webui
Package
- Name
- open-webui
- View open source insights on deps.dev
- Purl
- pkg:pypi/open-webui
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.8.11