Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation — CVE-2026-45396
GitHub · GitHub · CVE-2026-45396
ID
CVE-2026-45396
CVE-2026-45396
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
5.4
5.4
Summary
# Mass Assignment in Feedback Creation Allows User ID Spoofing and Evaluation Data Manipulation ## Summary The `POST /api/v1/evaluations/feedback` endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via `FeedbackForm`, which uses `model_config = ConfigDict(extra='allow')`. Due to an insecure dictionary merge order in `insert_new_feedback()`, an authenticated attacker can inject a `user_id` field in the…
Product
pip: open-webui
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.