CVE-2026-54006

MEDIUM

Open WebUI: Calendar event re-parenting allows writing events into another user's calendar

Title source: cna
STIX 2.1

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/v1/calendars/events/{event_id}/update validates that the caller has write access to the calendar the event currently belongs to, but does not validate the destination calendar_id supplied in the request body. The model layer then persists the new calendar_id unconditionally. A regular user-role account can therefore create an event in their own calendar and immediately move it into any other user's calendar whose ID they know — bypassing the authorization check that create_event correctly performs. This vulnerability is fixed in 0.9.6.

References (1)

Core 1
Core References

Scores

CVSS v3 4.3
EPSS 0.0018
EPSS Percentile 7.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-639
Status published
Products (2)
open-webui/open-webui < 0.9.6
openwebui/open_webui < 0.9.6
Published Jun 23, 2026
Tracked Since Jun 23, 2026