131 matches found
CVE-2026-59223
Open WebUI vulnerability CVE-2026-59223 affects the WEB_FETCH_FILTER_LIST logic prior to 0.10.0, allowing path-based blocklist bypasses (e.g., !internal.example.com in a URL path) and misalignment with hostname policy for sibling-domain matches. The issue is fixed in version 0.10.0. Impact is a p...
CVE-2026-59227
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.11 before 0.10.0, POST /api/v1/images/edit required only a verified account and did not enforce the global image-edit switch or the per-user image-generation permission, allowing a non-admin user to...
GHSA-JGX9-JR5X-MVPV Open WebUI has Blind Server Side Request Forgery in its Image Edit Functionality
Summary There is a blind server side request forgery in the functionality that allows editing an image via a prompt. The affected function will perform a GET request on the URL provided by the user. There is no restriction on the domain of the provided URL allowing the local address space to be...
GHSA-VJM7-M4XH-7WRC Open WebUI vulnerable to Stored XSS via iFrame embeds in response messages
Summary Manually modifying chat history allows setting the embeds property on a response message, the content of which is loaded into an iFrame with a sandbox that has allow-scripts and allow-same-origin set, ignoring the "iframe Sandbox Allow Same Origin" configuration. This enables stored XSS o...
GHSA-JM82-FX9C-MX94 vulnerabilities
Vulnerabilities for packages: nemo, open-webui...
CVE-2026-54531 vulnerabilities
Vulnerabilities for packages: open-webui...
CVE-2026-54014
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, a path traversal vulnerability exists in open-webui's cache file serving endpoint that allows any authenticated user to read files from sibling directories outside the intended cache...
CVE-2026-54007 Open WebUI: Cross-origin postMessage confirmation bypass via action:submit
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt in an authenticated victim...
CVE-2026-54014 Open WebUI: Sibling-Prefix Path Traversal via /cache/{path} in open-webui/open-webui
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, a path traversal vulnerability exists in open-webui's cache file serving endpoint that allows any authenticated user to read files from sibling directories outside the intended cache...
CVE-2026-54017 Open WebUI: Path traversal / SSRF in terminal server proxy via encoded path traversal
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the terminal-server reverse proxy in backend/openwebui/routers/terminals.py does not fully confine the user-controlled path segment before forwarding it to an admin-configured termin...
GHSA-4R4W-2WGP-W7CJ Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion
Summary Open WebUI's prompt version-history endpoints authorize the promptid in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt historyentry.promptid == prompt.id. Three operations are affected: - GET...
GHSA-VRHC-3FR6-PC3C Open WebUI: Forged chat-file link allows cross-user file read and deletion
Summary Open WebUI v0.9.5 lets an authenticated user attach arbitrary fileid values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, hasaccesstofile treats the victim file as accessible...
GHSA-F3G7-59QC-PQG6 Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar
Summary POST /api/v1/calendars/events/eventid/update validates that the caller has write access to the calendar the event currently belongs to, but does not validate the destination calendarid supplied in the request body. The model layer then persists the new calendarid unconditionally. A regula...
GHSA-CJ93-CHG6-VGV8 vulnerabilities
Vulnerabilities for packages: open-webui...
GHSA-248M-82V9-Q6G6 vulnerabilities
Vulnerabilities for packages: open-webui...
CVE-2026-54022
creationtimestamp| type| source ---|---|--- 2026-06-11 19:14:16+00:00| published-proof-of-concept| https://github.com/open-webui/open-webui/security/advisories/GHSA-8788-j68r-3cgh...
CVE-2026-54019
creationtimestamp| type| source ---|---|--- 2026-06-11 19:09:52+00:00| published-proof-of-concept| https://github.com/open-webui/open-webui/security/advisories/GHSA-p5cp-r7rg-qpxc...
CVE-2026-54016
creationtimestamp| type| source ---|---|--- 2026-06-11 19:06:16+00:00| published-proof-of-concept| https://github.com/open-webui/open-webui/security/advisories/GHSA-cx9v-4qj2-jrw6...
CVE-2026-54015
creationtimestamp| type| source ---|---|--- 2026-06-11 19:05:34+00:00| published-proof-of-concept| https://github.com/open-webui/open-webui/security/advisories/GHSA-4r4w-2wgp-w7cj...
CVE-2026-54014
creationtimestamp| type| source ---|---|--- 2026-06-11 19:04:46+00:00| published-proof-of-concept| https://github.com/open-webui/open-webui/security/advisories/GHSA-j2c8-v969-8r5c...