python · open-webuiHeads-up

open-webui: Missing calendar write permission check in event update endpoint

The POST /api/v1/calendars/events/{event_id}/update endpoint validates write access to the source calendar but does not validate the destination calendar_id in

18 Jun 2026Read 1 minSeverity: schedule it

What changed

The POST /api/v1/calendars/events/{event_id}/update endpoint validates write access to the source calendar but does not validate the destination calendar_id in the request body, allowing a user to move an event into any calendar whose ID they know.

Who it affects

All users of open-webui with default configuration (ENABLE_CALENDAR and USER_PERMISSIONS_FEATURES_CALENDAR both True). A user with read-only access to a shared calendar can escalate to write, and any user can inject events into other users' calendars.

What to do today

Apply the fix by adding a destination calendar write permission check in the update_event endpoint, or disable the calendar feature if not needed.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · open-webui

open-webui: Missing calendar write permission check in event update endpoint

What changed

Who it affects

What to do today

More on open-webui

vllm: Temperature validation silently passes NaN and +Inf values

vllm: Fix three image processing issues (EXIF orientation, PNG tRNS, APNG/GIF frames)