CVE-2026-45387

MEDIUM

Open WebUI: Sharing models for others to use (read permission) also exposes model details (system prompt leakage)

Title source: cna

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, when setting model permissions so that a group has read access to it, intending for other users to use it, those users also can read the model's system prompt. However users may consider their system prompt confidential, so this is considered a security issue. This vulnerability is fixed in 0.9.5.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/open-webui/open-webui/security/advisories/GHSA-h2cw-7qw9-56xr

Scores

CVSS v3 4.3

EPSS 0.0003

EPSS Percentile 7.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (3)

open-webui/open-webui < 0.9.5

openwebui/open_webui < 0.9.5

pypi/open-webui 0 - 0.9.5PyPI

Published May 15, 2026

Tracked Since May 16, 2026