Lucene search
K

1274 matches found

CVE
CVE
added 2026/06/23 4:39 p.m.20 views

CVE-2026-54021

Summary: Open WebUI prior to 0.9.6 allows any authenticated user to direct requests to arbitrary Ollama backends by appending a caller-supplied url_idx, bypassing backend-level isolation and possibly reaching restricted or disabled backends. The issue arises on index-addressed Ollama proxy routes...

6.3CVSS6AI score0.0021EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/06/23 4:39 p.m.41 views

CVE-2026-54021 Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, several direct, index-addressed Ollama proxy routes accept a caller-supplied urlidx path parameter and use it as a raw index into the admin-configured OLLAMABASEURLS list. Access...

6.3CVSS0.0021EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/23 4:38 p.m.42 views

CVE-2026-54022 Open WebUI: Any authenticated user can read other users' private notes via Socket.IO

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, the ydoc:document:join Socket.IO handler checks note ownership only when the documentid starts with note: colon. However, the YdocManager storage layer normalizes all document IDs b...

5.3CVSS0.00268EPSS
Exploits1References1
CVE
CVE
added 2026/06/23 4:38 p.m.23 views

CVE-2026-54022

Summary (grounded in provided sources): Open WebUI prior to version 0.8.11 has a logic bug in the ydoc:document:join handler: authorization is only enforced for document IDs starting with the prefix note:. The YdocManager stores documents using a normalized key where colons are replaced with unde...

5.3CVSS5.9AI score0.00268EPSS
Exploits1References1Affected Software1
Snyk
Snyk
added 2026/06/17 6:1 p.m.5 views

Incorrect Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Incorrect Authorization through the getollamaurl process. An attacker can gain unauthorized access to restricted backend resources by supplying a crafted urlidx path parameter to route requests to internal or...

6.3CVSS5.9AI score0.0021EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/17 5:55 p.m.6 views

Server-side Request Forgery (SSRF)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the validateurl process. An attacker can access internal network resources and sensitive information by supplying a URL that redirects to internal addresses, bypassing the...

7.7CVSS5.9AI score0.00287EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/06/17 5:55 p.m.12 views

Open WebUI: SSRF Protection Bypass in Playwright Web Loader via HTTP Redirects

Summary The SafePlaywrightURLLoader implements a validateurl function to prevent SSRF attacks by checking the IP address of the user-provided URL. However, this validation is performed only on the initial URL. Since Playwright automatically follows HTTP redirects 301/302 by default, an attacker c...

7.7CVSS5.4AI score0.00287EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/17 2:16 p.m.13 views

Open WebUI: Sibling-Prefix Path Traversal via /cache/{path}

Summary A path traversal vulnerability exists in open-webui's cache file serving endpoint that allows any authenticated user to read files from sibling directories outside the intended cache directory, by exploiting an incomplete startswith containment check that lacks a trailing path separator...

4.3CVSS5.3AI score0.00244EPSS
Exploits1References2Affected Software1
Snyk
Snyk
added 2026/06/17 2:15 p.m.4 views

Protection Mechanism Failure

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Protection Mechanism Failure via the profileimageurl field in the model metadata process. An attacker can execute arbitrary JavaScript in the context of another user's session by storing a crafted SVG payload...

7.6CVSS6.1AI score0.00174EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/06/17 2:15 p.m.15 views

Open WebUI: Stored XSS to Account Takeover via Model Profile Images

Stored XSS to Account Takeover via Model Profile Images in Open WebUI Affected: Open WebUI tags. On the output side, users.py added a MIME allowlist check and X-Content-Type-Options: nosniff. The fix was applied to UserUpdateForm, UpdateProfileForm, and later to ChannelWebhookForm. Three models...

7.6CVSS5.3AI score0.00174EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/17 2:15 p.m.20 views

Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion

Summary Open WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their model without checking whether they own or can read the referenced files. Open WebUI then treats meta.knowledge entries of type file as an authorization source in two...

7.1CVSS5.6AI score0.00198EPSS
Exploits1References2Affected Software1
Snyk
Snyk
added 2026/06/17 2:14 p.m.4 views

Cross-site Scripting (XSS)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS in the Markdown file preview process when rendering Mermaid blocks with a permissive security configuration. An attacker can execute arbitrary JavaScript in the context of the victim'...

8.7CVSS5.9AI score0.002EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/06/17 2:14 p.m.10 views

Open WebUI: Stored XSS in Mermaid Markdown Preview

Summary Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML. Because Mermaid is configured with securityLevel: 'loose', attacker-controlled Mermaid content can be rendered unsafely in this flow. A working paylo...

8.7CVSS5.6AI score0.002EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/17 2:12 p.m.13 views

Open WebUI: Forged chat-file link allows cross-user file read and deletion

Summary Open WebUI v0.9.5 lets an authenticated user attach arbitrary fileid values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, hasaccesstofile treats the victim file as accessible...

8.3CVSS5.5AI score0.00241EPSS
Exploits1References4Affected Software1
Snyk
Snyk
added 2026/06/17 2:10 p.m.5 views

Server-side Request Forgery (SSRF)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the processpictureurl function. An attacker can access internal network resources and exfiltrate sensitive data by submitting a crafted OAuth profile image URL that redirec...

8.5CVSS5.9AI score0.00203EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/17 2:10 p.m.3 views

Origin Validation Error

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Origin Validation Error through the postMessage process. An attacker can execute unauthorized actions and trigger backend API calls under the victim's authenticated session by sending crafted cross-origin...

7.1CVSS5.9AI score0.00162EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.16 views

PT-2026-50486

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description A path traversal issue exists in the cache file serving endpoint '/cache/path:path' that allows authenticated users with the role of user or admin to read files from sibling directories outside th...

4.3CVSS5.9AI score0.00244EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.11 views

PT-2026-50482

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description An authenticated user can attach arbitrary file id values to their own chat messages because the system fails to verify if the user owns or has read access to those files. By sharing the chat and...

8.3CVSS6AI score0.00241EPSS
Exploits1References9
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.25 views

PT-2026-50488

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description Open WebUI contains a Broken Object Level Authorization BOLA issue in the builtin search knowledge files function. BOLA occurs when an application does not properly verify if a user has permission...

4.3CVSS6AI score0.00226EPSS
Exploits1References4
Wolfi
Wolfi
added 2026/06/15 8:35 p.m.8 views

CVE-2026-48156 vulnerabilities

Vulnerabilities for packages: open-webui...

5.1CVSS5.1AI score0.00124EPSS
Exploits0
Rows per page
Query Builder