CVE-2026-45386
MEDIUMOpen WebUI: An IDOR vulnerability exists in the pin_channel_message API endpoint
Title source: cnaDescription
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, Pin/Unpin is a write operation (modifies the message's is_pinned , pinned_by, pinned_at fields), but in standard channels it only checks read permission, allowing users with read-only access to pin/unpin any message. This vulnerability is fixed in 0.9.5.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/open-webui/open-webui/security/advisories/GHSA-5gc6-xhv4-2wg6
Scores
CVSS v3
4.3
EPSS
0.0004
EPSS Percentile
11.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-639
Status
published
Products (3)
open-webui/open-webui
< 0.9.5
openwebui/open_webui
< 0.9.5
pypi/open-webui
0 - 0.9.5PyPI
Published
May 15, 2026
Tracked Since
May 16, 2026