Open WebUI Vulnerability Exposes User Chat Conversations
The National Vulnerability Database has detailed CVE-2026-45349, a high-severity vulnerability (CVSS 7.1) affecting Open WebUI, a self-hosted, offline-first artificial intelligence platform. Prior to version 0.9.0, an authenticated user could leverage the /api/chat/completions API endpoint to continue another user’s conversation. This required only their own API key and the target user’s chat ID.
This isn’t a trivial information leak; it’s a direct conversation hijack. An attacker with a valid API key, even if it’s their own, could effectively impersonate or monitor another user’s AI interactions. The vulnerability, categorized as CWE-639 (Inappropriate Exposure of Sensitive Information), underscores a fundamental flaw in access control for chat session management.
For organizations deploying Open WebUI, this means private conversations, potentially containing sensitive data or intellectual property, could have been exposed. The fix in version 0.9.0 is critical, but the fact that an authenticated user could so easily pivot into another’s session highlights the need for rigorous API security and session management in self-hosted AI deployments.
What This Means For You
- If your organization uses Open WebUI, immediately confirm that all instances are upgraded to version 0.9.0 or later to patch CVE-2026-45349. Additionally, audit API access logs for any suspicious activity involving the `/api/chat/completions` endpoint prior to the patch, especially if you have multiple internal users.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Open WebUI API Chat Completion Access - CVE-2026-45349
title: Open WebUI API Chat Completion Access - CVE-2026-45349
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
Detects the specific API endpoint '/api/chat/completions' being accessed via POST requests, which is the method used to exploit CVE-2026-45349 in Open WebUI versions prior to 0.9.0. This allows unauthorized users to access other users' chat conversations.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-45349/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/chat/completions'
cs-method:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-45349 | Auth Bypass | Open WebUI versions prior to 0.9.0 |
| CVE-2026-45349 | Auth Bypass | Open WebUI API endpoint: /api/chat/completions |
| CVE-2026-45349 | Auth Bypass | Ability to continue another user's conversation using their Chat ID |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 15, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
radare2 Use-After-Free (CVE-2026-8696) Risks Denial of Service, RCE
CVE-2026-8696 — radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_pids_list() function within the GDB client core that allows remote attackers to cause a denial...
CVE-2026-45675: Open WebUI Vulnerable to Admin Role Race Condition
CVE-2026-45675 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use...
CVE-2026-45671: Open WebUI File Deletion Flaw Impacts Self-Hosted AI
CVE-2026-45671 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files...