CVE-2026-28786 Open WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions`

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an unsanitized filename field in the speech-to-text transcription endpoint allows any authenticated non-admin user to trigger a FileNotFoundError whose message — including th...

CVE-2026-28786

creationtimestamp| type| source ---|---|--- 2026-03-26 23:29:07+00:00| published-proof-of-concept| https://github.com/open-webui/open-webui/security/advisories/GHSA-vvxm-vxmr-624h...