CVE-2026-45399

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can enumerate active background tasks across the system and stop tasks belonging to other users via the GET /api/tasks and POST /api/tasks/stop/{task_id} methods. This allows a casual user to disrupt system-wide chat usage by continuously canceling other users' active tasks. This is a real authorization vulnerability affecting integrity and usability in multi-user deployments. This vulnerability is fixed in 0.9.0.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/open-webui/open-webui/security/advisories/GHSA-8jjp-r2w2-4v22	Exploit Mitigation Vendor Advisory
https://github.com/open-webui/open-webui/security/advisories/GHSA-8jjp-r2w2-4v22	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*

History

19 May 2026, 03:08

Type	Values Removed	Values Added
References	~~() https://github.com/open-webui/open-webui/security/advisories/GHSA-8jjp-r2w2-4v22 -~~	() https://github.com/open-webui/open-webui/security/advisories/GHSA-8jjp-r2w2-4v22 - Exploit, Mitigation, Vendor Advisory
First Time		Openwebui Openwebui open Webui
CPE		cpe:2.3:a:openwebui:open_webui::::::::

15 May 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-15 20:16

Updated : 2026-05-19 03:08

NVD link : CVE-2026-45399

Mitre link : CVE-2026-45399

CVE.ORG link : CVE-2026-45399

JSON object : View

Products Affected

openwebui

open_webui

CWE

CWE-862

Missing Authorization

7.1 /10