4 matches found
PT-2026-50480
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description An issue exists where the process picture url function in backend/open webui/utils/oauth.py performs URL validation only on the initial URL. Subsequently, it uses aiohttp.ClientSession.get without...
CVE-2026-45401 Open WebUI: SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the validateurl function in backend/openwebui/retrieval/web/utils.py only validates the initial URL submitted by the caller. The HTTP clients used downstream sync requests, async...
hubzoid (>=0.2.2 <=0.6.0), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-45401 via open-webui (>=0.6.0 <=0.8.8)
open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-45401 Source advisory: SNYK:PYTHON-OPENWEBUI-16735624...
hubzoid (>=0.2.2 <=0.6.0), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-45401 via open-webui (>=0.6.0 <=0.8.8)
open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-45401 Source advisory: OSV:GHSA-RH5X-H6PP-CJJ6...