Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3226 vulnerabilities reference this CWE, most recent first.

GHSA-X2M4-5RQP-RHVQ

Vulnerability from github – Published: 2024-04-08 21:31 – Updated: 2025-03-13 18:31
VLAI
Details

Insecure Direct Object Reference (IDOR) in GNU Savane v.3.12 and before allows a remote attacker to delete arbitrary files via crafted input to the trackers_data_delete_file function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27630"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-08T21:15:09Z",
    "severity": "HIGH"
  },
  "details": "Insecure Direct Object Reference (IDOR) in GNU Savane v.3.12 and before allows a remote attacker to delete arbitrary files via crafted input to the trackers_data_delete_file function.",
  "id": "GHSA-x2m4-5rqp-rhvq",
  "modified": "2025-03-13T18:31:56Z",
  "published": "2024-04-08T21:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27630"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ally-petitt/CVE-2024-27630"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40allypetitt/how-i-found-3-cves-in-2-days-8a135eb924d3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X2QM-672H-5482

Vulnerability from github – Published: 2024-08-03 15:30 – Updated: 2024-08-03 15:30
VLAI
Details

A vulnerability, which was classified as critical, was found in SimpleMachines SMF 2.1.4. Affected is an unknown function of the file /index.php?action=profile;u=2;area=showalerts;do=remove of the component Delete User Handler. The manipulation of the argument aid leads to improper control of resource identifiers. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-273522 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7437"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-99"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-03T15:15:58Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as critical, was found in SimpleMachines SMF 2.1.4. Affected is an unknown function of the file /index.php?action=profile;u=2;area=showalerts;do=remove of the component Delete User Handler. The manipulation of the argument aid leads to improper control of resource identifiers. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-273522 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-x2qm-672h-5482",
  "modified": "2024-08-03T15:30:34Z",
  "published": "2024-08-03T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7437"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Fewword/Poc/blob/main/smf/smf-poc1.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.273522"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.273522"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.380189"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-X2W5-644H-C9P2

Vulnerability from github – Published: 2025-10-27 15:30 – Updated: 2025-10-27 15:30
VLAI
Details

A security flaw has been discovered in code-projects Client Details System 1.0. The impacted element is an unknown function. The manipulation results in authorization bypass. The attack can be launched remotely. The exploit has been released to the public and may be exploited.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12283"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-27T14:15:39Z",
    "severity": "MODERATE"
  },
  "details": "A security flaw has been discovered in code-projects Client Details System 1.0. The impacted element is an unknown function. The manipulation results in authorization bypass. The attack can be launched remotely. The exploit has been released to the public and may be exploited.",
  "id": "GHSA-x2w5-644h-c9p2",
  "modified": "2025-10-27T15:30:42Z",
  "published": "2025-10-27T15:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12283"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hellonewbie/tutorial/issues/11"
    },
    {
      "type": "WEB",
      "url": "https://code-projects.org"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.329953"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.329953"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.674213"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-X2W7-XR2G-QHJR

Vulnerability from github – Published: 2026-06-08 21:31 – Updated: 2026-06-08 21:31
VLAI
Details

WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body without tenant ownership verification. Attackers can exploit the service-role client that bypasses row-level security to modify victim contact fields including name, email, and company across tenant boundaries using only a known contact UUID.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-49141"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-08T20:17:01Z",
    "severity": "MODERATE"
  },
  "details": "WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body without tenant ownership verification. Attackers can exploit the service-role client that bypasses row-level security to modify victim contact fields including name, email, and company across tenant boundaries using only a known contact UUID.",
  "id": "GHSA-x2w7-xr2g-qhjr",
  "modified": "2026-06-08T21:31:50Z",
  "published": "2026-06-08T21:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49141"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ArnasDon/wacrm/pull/194"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ArnasDon/wacrm/commit/73041bfa6420f5e1ecbfa1dd4fa847d8529320f5"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/wacrm-authorization-bypass-via-automation-engine-endpoint"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-X2XX-4QHP-2VQX

Vulnerability from github – Published: 2025-08-01 06:31 – Updated: 2025-10-23 15:30
VLAI
Details

The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's cookie value prior to logging them in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-5947"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-01T04:16:21Z",
    "severity": "CRITICAL"
  },
  "details": "The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user\u0027s cookie value prior to logging them in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins.",
  "id": "GHSA-x2xx-4qhp-2vqx",
  "modified": "2025-10-23T15:30:24Z",
  "published": "2025-08-01T06:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5947"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-5947-detect-wordpress-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-5947-mitigate-wordpress-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c1fe4f60-d93b-4071-90ae-ac863c17fe19?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X35M-4MV2-6M4P

Vulnerability from github – Published: 2026-02-11 12:30 – Updated: 2026-02-11 12:30
VLAI
Details

The 'Videospirecore Theme Plugin' plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.6. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15096"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-11T10:15:49Z",
    "severity": "HIGH"
  },
  "details": "The \u0027Videospirecore Theme Plugin\u0027 plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.6. This is due to the plugin not properly validating a user\u0027s identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user\u0027s email addresses, including administrators, and leverage that to reset the user\u0027s password and gain access to their account.",
  "id": "GHSA-x35m-4mv2-6m4p",
  "modified": "2026-02-11T12:30:21Z",
  "published": "2026-02-11T12:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15096"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/videospire-video-streaming-ott-platform-wordpress-theme/39243225?s_rank=1"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bf152269-73e1-473f-8d97-ce94e9b885d0?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X36W-M8P6-4MC4

Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14
VLAI
Details

A vulnerability has been identified in Industrial Edge Management (All versions < V1.3). An unauthenticated attacker could change the the password of any user in the system under certain circumstances. With this an attacker could impersonate any valid user on an affected system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37184"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-14T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability has been identified in Industrial Edge Management (All versions \u003c V1.3). An unauthenticated attacker could change the the password of any user in the system under certain circumstances. With this an attacker could impersonate any valid user on an affected system.",
  "id": "GHSA-x36w-m8p6-4mc4",
  "modified": "2022-05-24T19:14:31Z",
  "published": "2022-05-24T19:14:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37184"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-692317.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-X398-2RGF-67P8

Vulnerability from github – Published: 2026-02-11 12:30 – Updated: 2026-02-11 12:30
VLAI
Details

GitLab has remediated an issue in GitLab EE affecting all versions from 16.7 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to access iteration data from private descendant groups by querying the iterations API endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1080"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-11T12:16:04Z",
    "severity": "MODERATE"
  },
  "details": "GitLab has remediated an issue in GitLab EE affecting all versions from 16.7 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to access iteration data from private descendant groups by querying the iterations API endpoint.",
  "id": "GHSA-x398-2rgf-67p8",
  "modified": "2026-02-11T12:30:22Z",
  "published": "2026-02-11T12:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1080"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3484568"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2026/02/10/patch-release-gitlab-18-8-4-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/586477"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X39X-RWWC-FP3F

Vulnerability from github – Published: 2024-11-09 06:30 – Updated: 2024-11-09 06:30
VLAI
Details

The SKT Addons for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.3 via the Unfold widget due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10693"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-09T04:15:04Z",
    "severity": "MODERATE"
  },
  "details": "The SKT Addons for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.3 via the Unfold widget due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.",
  "id": "GHSA-x39x-rwwc-fp3f",
  "modified": "2024-11-09T06:30:25Z",
  "published": "2024-11-09T06:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10693"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3183804%40skt-addons-for-elementor\u0026new=3183804%40skt-addons-for-elementor\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8accf552-f235-46dd-857b-330eef7765a0?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X3QM-P8HR-3C3H

Vulnerability from github – Published: 2026-05-14 20:27 – Updated: 2026-05-19 16:00
VLAI
Summary
Open WebUI has an Indirect Object Reference (IDOR) in user notes
Details

Summary

The API /api/v1/notes/{note_id} endpoint lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or enumerating UUIDs. This results in unauthorized disclosure of potentially sensitive or private user data.

Details

  • if notes is enabled from UI (Settings >> General >> Features >> Notes (Beta))
  • From API, attacker can access other user notes
  • if notes is disabled from UI (Settings >> General >> Features >> Notes (Beta))
  • Then attacker can enable the notes from /api/config and access other user notes

PoC

  • Step 1: Log in to the application as a valid user (User A). image

  • Step 2: Intercept or inspect the response from the endpoint GET /api/config. image

  • Step 3: Observe the field "enable_notes": false in the JSON response.

  • Step 4: Manually change "enable_notes" to true using browser DevTools or by intercepting and modifying the response via a proxy like Burp Suite. (Please note, the occurrence of this API comes twice, hence modification needs to be made twice as well.) image

  • Step 5: Observe the loaded frontend application; the previously hidden notes form will now be visible. image

image

  • Step 6: Again, click on any note, intercept the request, and Replace the note_id in the URL with a different note ID known to belong to another user (e.g., by guessing or bruteforcing).
  • Step 7: Send the modified request while remaining logged in as User A.
  • Step 8: Observe that the server returns the content of another user's note, confirming unauthorized access. image image

Impact

  1. Unauthorized access to user-created notes
  2. Possible exposure of confidential or sensitive uploaded data
  3. Violation of user privacy and data isolation
  4. High risk of legal or compliance breaches in regulated environments

Resolution

Fixed in commit de3317e26, first released in v0.8.11 (Mar 2026). All per-id note endpoints (GET /api/v1/notes/{id}, POST /api/v1/notes/{id}/update, POST /api/v1/notes/{id}/access/update, deletion) now enforce ownership: the handler fetches the note, then requires the caller to be admin, the note owner, or have an AccessGrants grant for the appropriate permission (read for retrieval, write for mutation). A non-owner with no grant receives 403.

Users on >= 0.8.11 are not affected.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.10"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:27:56Z",
    "nvd_published_at": "2026-05-15T22:16:56Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe  API /api/v1/notes/{note_id} endpoint lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or enumerating UUIDs. This results in unauthorized disclosure of potentially sensitive or private user data.\n\n### Details\n- if notes is enabled from UI (Settings \u003e\u003e General \u003e\u003e Features \u003e\u003e Notes (Beta))\n   - From API, attacker can access other user notes\n- if notes is disabled from UI (Settings \u003e\u003e General \u003e\u003e Features \u003e\u003e Notes (Beta))\n   - Then attacker can enable the notes from /api/config and access other user notes \n\n### PoC\n- Step 1: Log in to the application as a valid user (User A).\n![image](https://github.com/user-attachments/assets/3c4625f9-6e51-4cd1-942e-6a3f467520c0)\n\n- Step 2: Intercept or inspect the response from the endpoint GET /api/config.\n![image](https://github.com/user-attachments/assets/7c4fe716-314c-4640-bc9f-1e11ddc2273d)\n\n- Step 3: Observe the field \"enable_notes\": false in the JSON response.\n- Step 4: Manually change \"enable_notes\" to true using browser DevTools or by intercepting and modifying the response via a proxy like Burp Suite. (Please note, the occurrence of this API comes twice, hence modification needs to be made twice as well.)\n![image](https://github.com/user-attachments/assets/99575570-a673-4508-b149-9a2480d8f62e)\n\n- Step 5: Observe the loaded frontend application; the previously hidden notes form will now be visible.\n![image](https://github.com/user-attachments/assets/a4059b1f-2e77-4f29-88a3-431e82b7c41d)\n\n![image](https://github.com/user-attachments/assets/55e601d7-b013-43e3-a070-3a80f166e777)\n\n- Step 6: Again, click on any note, intercept the request, and Replace the note_id in the URL with a different note ID known to belong to another user (e.g., by guessing or bruteforcing).\n- Step 7: Send the modified request while remaining logged in as User A.\n- Step 8: Observe that the server returns the content of another user\u0027s note, confirming unauthorized access.\n![image](https://github.com/user-attachments/assets/cbec4ab5-a8a8-488a-a984-03e8de5b22f7)\n![image](https://github.com/user-attachments/assets/046cd925-7299-44ba-bfc3-d6e7071d29d1)\n\n\n### Impact\n1. Unauthorized access to user-created notes\n2. Possible exposure of confidential or sensitive uploaded data\n3. Violation of user privacy and data isolation\n4. High risk of legal or compliance breaches in regulated environments\n\n## Resolution\n\nFixed in commit [de3317e26](https://github.com/open-webui/open-webui/commit/de3317e26bb67a2a7ea015a183bbd1d369880ebd), first released in **v0.8.11** (Mar 2026). All per-id note endpoints (`GET /api/v1/notes/{id}`, `POST /api/v1/notes/{id}/update`, `POST /api/v1/notes/{id}/access/update`, deletion) now enforce ownership: the handler fetches the note, then requires the caller to be admin, the note owner, or have an `AccessGrants` grant for the appropriate permission (`read` for retrieval, `write` for mutation). A non-owner with no grant receives 403.\n\nUsers on `\u003e= 0.8.11` are not affected.",
  "id": "GHSA-x3qm-p8hr-3c3h",
  "modified": "2026-05-19T16:00:32Z",
  "published": "2026-05-14T20:27:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-x3qm-p8hr-3c3h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45666"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/commit/de3317e26bb67a2a7ea015a183bbd1d369880ebd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/releases/tag/v0.8.11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI has an Indirect Object Reference (IDOR) in user notes"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.