CVE-2026-54006
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
In Open WebUI prior to version 0.9.6, there is a vulnerability that allows regular user-role accounts to move events between other users' calendars without proper permissions. This vulnerability stems from the lack of validation of the destination calendar_id in the event update request.
Risk Assessment
Organizations may be exposed to unauthorized data movement between calendars, potentially leading to privacy breaches and information security issues.
Recommendation
It is recommended to update Open WebUI to version 0.9.6 or later to mitigate this vulnerability and to implement additional access controls in the application.
Original NVD description (English source)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/v1/calendars/events/{event_id}/update validates that the caller has write access to the calendar the event currently belongs to, but does not validate the destination calendar_id supplied in the request body. The model layer then persists the new calendar_id unconditionally. A regular user-role account can therefore create an event in their own calendar and immediately move it into any other user's calendar whose ID they know — bypassing the authorization check that create_event correctly performs. This vulnerability is fixed in 0.9.6.

