{"id":"CVE-2026-54006","summary":"Open WebUI: Calendar event re-parenting allows writing events into another user's calendar","details":"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/v1/calendars/events/{event_id}/update validates that the caller has write access to the calendar the event currently belongs to, but does not validate the destination calendar_id supplied in the request body. The model layer then persists the new calendar_id unconditionally. A regular user-role account can therefore create an event in their own calendar and immediately move it into any other user's calendar whose ID they know — bypassing the authorization check that create_event correctly performs.  This vulnerability is fixed in 0.9.6.","aliases":["GHSA-f3g7-59qc-pqg6","PYSEC-2026-2722"],"modified":"2026-07-15T01:49:14.758159332Z","published":"2026-06-23T16:50:44.406Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-639"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54006.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54006.json"},{"type":"ADVISORY","url":"https://github.com/open-webui/open-webui/security/advisories/GHSA-f3g7-59qc-pqg6"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-54006"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/open-webui/open-webui","events":[{"introduced":"0"},{"fixed":"1a97751e376e00a1897bc3679215ae1c7bd8fd42"}],"database_specific":{"cpe":"cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"0.9.6"}],"source":["AFFECTED_FIELD","CPE_RANGE"]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54006.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}]}