CVE-2026-45666: Open WebUI: Indirect Object Reference (IDOR) in user notes
Summary The API /api/v1/notes/{noteid} endpoint lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or enumerating UUIDs. This results in unauthorized disclosure of potentially sensitive or private user data.
Details - if notes is enabled from UI (Settings >> General >> Features >> Notes (Beta)) - From API, attacker can access other user notes - if notes is disabled from UI (Settings >> General >> Features >> Notes (Beta)) - Then attacker can enable the notes from /api/config and access other user notes
PoC - Step 1: Log in to the application as a valid user (User A). !image
- Step 2: Intercept or inspect the response from the endpoint GET /api/config. !image
- Step 3: Observe the field "enablenotes": false in the JSON response. - Step 4: Manually change "enablenotes" to true using browser DevTools or by intercepting and modifying the response via a proxy like Burp Suite. (Please note, the occurrence of this API comes twice, hence modification needs to be made twice as well.) !image
- Step 5: Observe the loaded frontend application; the previously hidden notes form will now be visible. !image
!image
- Step 6: Again, click on any note, intercept the request, and Replace the noteid in the URL with a different note ID known to belong to another user (e.g., by guessing or bruteforcing). - Step 7: Send the modified request while remaining logged in as User A. - Step 8: Observe that the server returns the content of another user's note, confirming unauthorized access. !image !image
Impact 1. Unauthorized access to user-created notes 2. Possible exposure of confidential or sensitive uploaded data 3. Violation of user privacy and data isolation 4. High risk of legal or compliance breaches in regulated environments
Resolution
Fixed in commit de3317e26, first released in v0.8.11 (Mar 2026). All per-id note endpoints (GET /api/v1/notes/{id}, POST /api/v1/notes/{id}/update, POST /api/v1/notes/{id}/access/update, deletion) now enforce ownership: the handler fetches the note, then requires the caller to be admin, the note owner, or have an AccessGrants grant for the appropriate permission (read for retrieval, write for mutation). A non-owner with no grant receives 403.
Users on >= 0.8.11 are not affected.
Other sources
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, the API /api/v1/notes/{noteid} endpoint lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or enumerating UUIDs. This results in unauthorized disclosure of potentially sensitive or private user data. This vulnerability is fixed in 0.8.11.
— MITRE
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2026-45666?
CVE-2026-45666 has a high severity due to an unauthorized disclosure of user notes through indirect object reference.
How do I fix CVE-2026-45666?
To fix CVE-2026-45666, upgrade open-webui to version 0.8.11 or later to ensure proper authorization checks are implemented.
Which versions of open-webui are affected by CVE-2026-45666?
Open-webui versions up to and including 0.8.10 are affected by CVE-2026-45666.
Can CVE-2026-45666 lead to data breaches?
Yes, CVE-2026-45666 can lead to data breaches as it allows unauthorized access to user notes.
What are the potential impacts of CVE-2026-45666?
The potential impacts of CVE-2026-45666 include unauthorized access to sensitive user data and loss of privacy.