CVE-2026-54006
Undergoing Analysis Undergoing Analysis - In Progress
Calendar ID Authorization Bypass in Open WebUI

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/v1/calendars/events/{event_id}/update validates that the caller has write access to the calendar the event currently belongs to, but does not validate the destination calendar_id supplied in the request body. The model layer then persists the new calendar_id unconditionally. A regular user-role account can therefore create an event in their own calendar and immediately move it into any other user's calendar whose ID they know β€” bypassing the authorization check that create_event correctly performs. This vulnerability is fixed in 0.9.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-54006
EUVD
EUVD-2026-38535
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
open_webui open_webui to 0.9.6 (exc)
open_webui open_webui 0.9.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54006 is an Insecure Direct Object Reference (IDOR) vulnerability in the Open WebUI application, affecting versions 0.9.5 and earlier.

The vulnerability occurs because the update endpoint for calendar events validates write access to the source calendar but does not validate the destination calendar ID supplied in the request body.

This allows a regular user to create an event in their own calendar and then move it into another user's calendar by supplying the victim's calendar ID, bypassing authorization checks.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

Exploitation of this vulnerability can lead to unauthorized modification of other users' calendars.

  • Phishing attacks by placing malicious events in victim calendars.
  • Calendar spam that disrupts normal calendar usage.
  • Denial-of-service conditions by overwhelming calendars with unwanted events.
Detection Guidance

This vulnerability can be detected by monitoring API requests to the endpoint POST /api/v1/calendars/events/{event_id}/update and checking if events are being moved to calendars without proper authorization.

Specifically, look for requests where a user moves an event from their own calendar to another user's calendar by supplying a different calendar_id in the request body.

Commands or methods to detect this might include:

  • Using network traffic analysis tools (e.g., tcpdump, Wireshark) to capture and inspect POST requests to the vulnerable endpoint.
  • Querying application logs for update requests to /api/v1/calendars/events/*/update where the calendar_id in the request body differs from the original event's calendar.
  • Using curl or similar tools to test the endpoint with crafted requests to verify if unauthorized calendar_id changes are accepted.
Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the Open WebUI application to version 0.9.6 or later, where the issue is fixed.

Until the upgrade can be performed, consider disabling calendar features or restricting access to the calendar event update API endpoint to trusted users only.

Additionally, monitor for suspicious activity involving calendar event updates that move events between users without proper authorization.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54006. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart