CVE-2026-54015
Undergoing Analysis Undergoing Analysis - In Progress
Authorization Bypass in Open WebUI Prompt History

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI's prompt version-history endpoints authorize the prompt_id in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt (history_entry.prompt_id == prompt.id). This affects /api/v1/prompts/id/{prompt_id}/history/diff, /api/v1/prompts/id/{prompt_id}/update/version, and /api/v1/prompts/id/{prompt_id}/history/{history_id}. An authenticated user with access to any prompt they control, plus a victim prompt_history.id, can read or delete another user's private prompt history. This vulnerability is fixed in 0.9.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-54015
EUVD
EUVD-2026-38527
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open_webui open_webui to 0.9.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54015 is a security vulnerability in Open WebUI versions 0.9.5 and earlier involving an Insecure Direct Object Reference (IDOR) in the prompt version-history endpoints.

The system authorizes access based on the prompt ID in the URL but fails to verify that the referenced history entries actually belong to that specific prompt.

This flaw allows an authenticated user who controls any prompt, and who knows a victim's prompt history ID, to read or delete another user's private prompt history.

The affected endpoints include operations to view diffs of history snapshots, update or restore versions, and delete history entries.

The root cause is that while the route checks access for the prompt ID, it does not enforce ownership verification on the history entries being accessed or modified.

Impact Analysis

This vulnerability can impact you by allowing an authenticated user to access or delete your private prompt history without your permission.

Specifically, an attacker can read confidential prompt history data, potentially exposing sensitive information.

Additionally, the attacker can delete or restore prompt history entries, which affects the integrity and availability of your data.

The vulnerability has a medium severity CVSS score of 6.4, indicating a significant risk to confidentiality, integrity, and availability.

Detection Guidance

This vulnerability can be detected by testing the affected Open WebUI endpoints for improper access control on prompt history entries. Specifically, you can attempt to access or manipulate prompt history entries using the endpoints /api/v1/prompts/id/{prompt_id}/history/diff, /api/v1/prompts/id/{prompt_id}/update/version, and /api/v1/prompts/id/{prompt_id}/history/{history_id} with prompt IDs and history IDs that do not belong to the authenticated user.

Suggested commands involve making authenticated HTTP requests to these endpoints with different prompt_id and history_id values to verify if unauthorized access or modification is possible. For example, using curl:

  • GET request to check history diff: curl -X GET -H "Authorization: Bearer <token>" https://<host>/api/v1/prompts/id/<prompt_id>/history/diff
  • POST request to update version: curl -X POST -H "Authorization: Bearer <token>" -d '{"version": "<version_data>"}' https://<host>/api/v1/prompts/id/<prompt_id>/update/version
  • DELETE request to remove history entry: curl -X DELETE -H "Authorization: Bearer <token>" https://<host>/api/v1/prompts/id/<prompt_id>/history/<history_id>

By substituting prompt_id and history_id values that belong to other users, you can test if the system improperly allows access or deletion of another user's prompt history, indicating the presence of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade Open WebUI to version 0.9.6 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, restrict access to the affected endpoints to trusted users only, and monitor for suspicious activity involving prompt history operations.

Additionally, review and enforce strict access control checks on prompt history operations to ensure that history entries belong to the authorized prompt before allowing read, update, or delete actions.

Compliance Impact

This vulnerability allows authenticated users to read or delete another user's private prompt history due to improper authorization checks. Such unauthorized access and modification of private data can lead to violations of data protection principles required by standards like GDPR and HIPAA, which mandate strict controls over personal and sensitive information to ensure confidentiality and integrity.

Specifically, the exposure and potential deletion of private prompt histories could be considered a breach of confidentiality and data integrity, which are core requirements under these regulations. Organizations using affected versions of Open WebUI prior to 0.9.6 may therefore face compliance risks if this vulnerability is exploited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54015. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart