CVE-2026-45399: Open WebUI: Low-privilege authenticated users can enumerate and stop global background tasks, causing system-wide chat disruption

Summary Any authenticated user with low privileges can enumerate active background tasks across the system and stop tasks belonging to other users via the GET /api/tasks and POST /api/tasks/stop/{taskid} methods. This allows a casual user to disrupt system-wide chat usage by continuously canceling other users' active tasks. This is a real authorization vulnerability affecting integrity and usability in multi-user deployments.

Details Open WebUI exposes GET /api/tasks and POST /api/tasks/stop/{taskid} to any verified user. These endpoints operate on a global task namespace and accept raw taskid values without checking whether the task belongs to the current caller.

As a result, a normal authenticated user can enumerate active global task IDs and stop tasks belonging to other users.

Root cause:

1. Route authorization is too weak.

In backend/openwebui/main.py, both endpoints only require getverifieduser:

python @app.post('/api/tasks/stop/{taskid}') async def stoptaskendpoint(request: Request, taskid: str, user=Depends(getverifieduser)): result = await stoptask(request.app.state.redis, taskid)

@app.get('/api/tasks') async def listtasksendpoint(request: Request, user=Depends(getverifieduser)): return {'tasks': await listtasks(request.app.state.redis)}

getverifieduser accepts both user and admin roles in backend/openwebui/utils/auth.py.

2. The helper operates on a global namespace.

In backend/openwebui/tasks.py, task listing is global:

python async def listtasks(redis): if redis: return await redislisttasks(redis) return list(tasks.keys())

In backend/openwebui/tasks.py, task stopping is by raw taskid:

python async def stoptask(redis, taskid: str): if redis: itemid = await redis.hget(REDISTASKSKEY, taskid) await redissendcommand(redis, {'action': 'stop', 'taskid': taskid}) await rediscleanuptask(redis, taskid, itemid or None)

There is no owner check, no userid check, and no mapping from taskid back to the current caller before stop or cleanup.

This also appears unintended because the codebase already has a scoped route, GET /api/tasks/chat/{chatid}, which checks whether the chat belongs to the current user before returning task IDs.

Relevant code references: - backend/openwebui/main.py:1975 - backend/openwebui/main.py:1984 - backend/openwebui/main.py:1989 - backend/openwebui/tasks.py:127 - backend/openwebui/tasks.py:145 - backend/openwebui/utils/auth.py:415

Suggested remediation: - Store task ownership metadata such as userid and chatid, then enforce owner-only access for non-admin users - Suggested implementation locations: - backend/openwebui/main.py: add authentication checks for /api/tasks and /api/tasks/stop/{taskid} - backend/openwebui/tasks.py: add support for storing/querying task ownership metadata such as userid and chatid, and support owner-scoped listing/stopping

PoC Preconditions:

- Default main branch deployment - Authentication enabled - Two normal user accounts, or any multi-user deployment where the attacker has one authenticated non-admin account - At least one task actively running for another user

This does not require any weakened security settings.

PoC objective:

1. Show that a non-admin user can see global active task IDs that are not their own 2. Show that the same user can stop another user's active task

Reproduction steps:

Step 1. Victim starts a long-running task

Using the UI, User A starts a long response generation or another background task and leaves it running.

Expected security model: User B should not be able to see or control User A's task.

Step 2. Attacker enumerates global task IDs

Using User B's authenticated token:

bash curl -i -H "Authorization: Bearer <USERBTOKEN>" http://<open-webui-host>/api/tasks

Expected result:

- only User B's own task IDs should be returned, or - the endpoint should be admin-only

Actual result: the response returns the global active task list.

Example response shape:

json {"tasks":["<task-id-a>","<task-id-b>"]}

This exposes task IDs belonging to other users.

Step 3. Attacker stops a foreign task

Pick a task ID that belongs to User A and send:

bash curl -i -X POST -H "Authorization: Bearer <USERBTOKEN>" http://<open-webui-host>/api/tasks/stop/<FOREIGNTASKID>

Expected result:

- 403 Forbidden, or - 404 Not Found for non-owned tasks, or - admin-only access

Actual result: the server accepts the request and attempts to stop the foreign task.

Example response shape:

json {"status":true,"message":"Task <FOREIGNTASKID> stopped."}

Step 4. Observe boundary violation

User A's running task is interrupted or disappears from the active task set even though User B does not own it.

What actions become possible that should not be possible:

- enumerate globally active task IDs across users - cancel another user's in-progress generation or background work - repeat this for every returned task ID, causing broad cross-user disruption

Copy-paste PoC summary:

1. Enumerate all active tasks as a normal non-admin user

bash curl -s -H "Authorization: Bearer <USERBTOKEN>" http://<open-webui-host>/api/tasks

2. Stop a task that does not belong to that user

bash curl -s -X POST -H "Authorization: Bearer <USERBTOKEN>" http://<open-webui-host>/api/tasks/stop/<FOREIGNTASKID>

Impact Type of vulnerability: broken object-level authorization affecting a global runtime control-plane endpoint.

Who is impacted:

- all users in a multi-user Open WebUI deployment - any user currently running a background task, especially chat generation tasks - administrators indirectly, because normal users can disrupt system-wide usage without admin privileges

Direct impact:

- cross-user task ID disclosure - cross-user task cancellation

Practical impact:

- interruption of long-running chat responses - interruption of background indexing or ingestion tasks associated with shared runtime jobs - one ordinary authenticated low-privilege user can continuously poll /api/tasks and immediately cancel every newly created active task - with a simple loop or script, this becomes a practical persistent denial-of-service against chat usage for all users on the instance - in a multi-user deployment, normal users may be unable to complete any chat generation while the attacker continues polling and cancelling tasks

Why severity is meaningful:

- privileges required: low, only an authenticated non-admin account - scope: cross-user - impact class: integrity and availability - exploitation complexity: low once logged in

This is not full account takeover or privilege escalation, but it enables platform-wide operational disruption from a low-privilege account. In practice, sustained exploitation can make chat functionality effectively unusable for other users on the system.

Resolution

Fixed in commit e7ff4768f (#23454, "Add ownership checks to global task endpoints"), first released in v0.9.0 (Apr 2026).

The fix takes a simpler approach than per-task ownership tracking, which would have required a schema change to attribute every task to a userid:

- GET /api/tasks and POST /api/tasks/stop/{taskid} are restricted to admin-only via Depends(getadminuser). Cross-user enumeration and termination are no longer reachable from a non-admin account. - A new scoped POST /api/tasks/chat/{chatid}/stop endpoint covers the legitimate non-admin use case (a user stopping their own in-progress generation), reusing the same chat-ownership check the existing GET /api/tasks/chat/{chatid} already enforces.

CVE-2025-63681 was a prior disclosure of the same authorization gap against v0.6.33; the fix in v0.9.0 also resolves that.

Users on >= 0.9.0 are not affected.