Authorization Bypass Through User-Controlled Key Affecting open-webui package, versions [,0.9.6)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.17% (7th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Authorization Bypass Through User-Controlled Key vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-OPENWEBUI-17400343
  • published22 Jun 2026
  • disclosed17 Jun 2026
  • credit0xEr3n, 5yu4n

Introduced: 17 Jun 2026

NewCVE-2026-54015  (opens in a new tab)
CWE-284  (opens in a new tab)
CWE-639  (opens in a new tab)

How to fix?

Upgrade open-webui to version 0.9.6 or higher.

Overview

open-webui is an Open WebUI

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the handling of prompt history operations, including compute_diff, update_prompt_version, and delete_history_entry. An attacker can access or delete another user's private prompt history entries by supplying known victim history IDs to these endpoints after authenticating with their own prompt. This allows unauthorized reading of sensitive prompt snapshots and deletion of version history entries belonging to other users.

CVSS Base Scores

version 4.0
version 3.1