PT-2026-41169
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.3 Description The "POST /api/v1/notes/id/pin" endpoint performs a write operation by toggling the is pinned field but incorrectly validates only for read permission. This allows users who have read-only access ...