1210 matches found
CVE-2026-54011
Open WebUI vulnerability CVE-2026-54011 is a stored XSS in Mermaid Markdown Preview. Affected versions include main and 0.8.12; the Mermaid rendering uses securityLevel: 'loose' and injects SVG via innerHTML in the file preview path, enabling JavaScript execution in the app origin. The issue is c...
CVE-2026-54011
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6,Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML. Because Mermaid is configured with...
CVE-2026-54012 Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their model without checking whether they own or can read the...
CVE-2026-54012
CVE-2026-54012 pertains to Open WebUI. Before version 0.9.6, a user with model-creation/update/import rights could attach forged meta.knowledge entries of type file to their model. The system then trusts these entries as authorization sources, enabling a cross-user read and deletion of private fi...
CVE-2026-54013 Open WebUI: Stored XSS to Account Takeover via Model Profile Images in Open WebUI
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI patched SVG XSS in user profile images and webhook profile images but forgot to apply the same fix to model profile images. The ModelMeta class has no...
CVE-2026-54013
CVE-2026-54013 describes a stored XSS in Open WebUI where the model profile image URL could be a data:image/svg+xml;base64 payload. The root cause is missing input validation on ModelMeta.profile_image_url and missing output protections in the model image endpoint (no MIME allowlist, no nosniff, ...
CVE-2026-54014
Open WebUI (open-webui/open-webui) before version 0.9.6 is affected by a sibling-prefix path traversal in the cache file endpoint. The vulnerability stems from serve_cache_file() validating the absolute path with file_path.startswith(os.path.abspath(CACHE_DIR)) without appending a trailing path s...
CVE-2026-54015
Open WebUI vulnerability CVE-2026-54015 : Before 0.9.6, the prompt history IDOR flaw allows cross-prompt access via /api/v1/prompts/id/{prompt_id}/history/diff, /update/version, and /history/{history_id}. Although the URL is bound to a prompt, the server fetches history entries globally by ID wit...
CVE-2026-54015 Open WebUI: Prompt history IDOR: unbound history_id allows cross-prompt read and deletion
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI's prompt version-history endpoints authorize the promptid in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that...
CVE-2026-54016
CVE-2026-54016 : Open WebUI (self-hosted offline AI platform) suffers a Broken Object Level Authorization in the builtin search_knowledge_files tool. When native function calling is enabled and a model has no attached knowledge bases, an authenticated user can supply an arbitrary knowledge_id and...
CVE-2026-54016 Open WebUI: Open WebUI BOLA: `search_knowledge_files` Allows Unauthorized Knowledge Base File Enumeration
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI has a Broken Object Level Authorization BOLA vulnerability in the builtin searchknowledgefiles tool. When native function calling is enabled and the selected model has no...
CVE-2026-54018 Open WebUI: SSRF Protection Bypass in Playwright Web Loader via HTTP Redirects
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the SafePlaywrightURLLoader implements a validateurl function to prevent SSRF attacks by checking the IP address of the user-provided URL. However, this validation is performed only ...
CVE-2026-54018
Open WebUI (self-hosted offline AI) contains SSRF protection bypass in the Playwright Web Loader prior to version 0.9.6. The validator checks only the initial URL; Playwright follows redirects (301/302) by default, allowing an attacker-supplied URL that redirects to internal addresses (e.g., loca...
CVE-2026-54019 Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI added collection-level ACL checks, but the patch can still be bypassed when Milvus multitenancy mode is enabled. The ACL allows unknown non-KB collection names as...
CVE-2026-54021 Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, several direct, index-addressed Ollama proxy routes accept a caller-supplied urlidx path parameter and use it as a raw index into the admin-configured OLLAMABASEURLS list. Access...
CVE-2026-54021
Summary: Open WebUI prior to 0.9.6 allows any authenticated user to direct requests to arbitrary Ollama backends by appending a caller-supplied url_idx, bypassing backend-level isolation and possibly reaching restricted or disabled backends. The issue arises on index-addressed Ollama proxy routes...
CVE-2026-54022 Open WebUI: Any authenticated user can read other users' private notes via Socket.IO
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, the ydoc:document:join Socket.IO handler checks note ownership only when the documentid starts with note: colon. However, the YdocManager storage layer normalizes all document IDs b...
CVE-2026-54022
Summary (grounded in provided sources): Open WebUI prior to version 0.8.11 has a logic bug in the ydoc:document:join handler: authorization is only enforced for document IDs starting with the prefix note:. The YdocManager stores documents using a normalized key where colons are replaced with unde...
Incorrect Authorization
Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Incorrect Authorization through the getollamaurl process. An attacker can gain unauthorized access to restricted backend resources by supplying a crafted urlidx path parameter to route requests to internal or...
Server-side Request Forgery (SSRF)
Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the validateurl process. An attacker can access internal network resources and sensitive information by supplying a URL that redirects to internal addresses, bypassing the...