Lucene search
K

66 matches found

OSV
OSV
added 2026/05/08 10:38 p.m.7 views

GHSA-9PGH-J74G-QJ6M Open WebUI Vulnerable to Arbitrary File Upload and Path Traversal

CONFIDENTIAL KL-CAN-2024-002 Vulnerability Details | | Field | Value | |---|-------|-------| | 1 | Discoverer | Jaggar Henry & Sean Segreti of KoreLogic, Inc. | | 2 | Date Submitted | 2024.03.12 | | 3 | Title | Open WebUI Arbitrary File Upload + Path Traversal | | 5 | Affected Vendor | Open WebUI...

7.3CVSS6.2AI score0.00336EPSS
Exploits1References3
OSV
OSV
added 2026/05/08 8:1 p.m.7 views

GHSA-HMGR-67HW-J2CQ Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels

Deactivated Channel Members Retain Full Access to Group/DM Channels Affected Component Channel membership authorization check: - backend/openwebui/models/channels.py lines 663-673, isuserchannelmember - Used at 15 locations in backend/openwebui/routers/channels.py Affected Versions Current main...

5.4CVSS5.8AI score0.00178EPSS
Exploits1References3
OSV
OSV
added 2026/05/08 7:50 p.m.6 views

GHSA-7RJH-PX4V-5W55 Open WebUI's Channel Access Grants Bypass filter_allowed_access_grants

Channel Access Grants Bypass filterallowedaccessgrants Affected Component Channel creation and update endpoints: - backend/openwebui/routers/channels.py lines 291-340, createnewchannel - backend/openwebui/routers/channels.py lines 617-638, updatechannelbyid - backend/openwebui/models/channels.py...

5.4CVSS5.9AI score0.0019EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/08 7:45 p.m.11 views

Missing Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authorization in the basemodelid process. An attacker can gain unauthorized access to restricted models by creating a new model that chains to a restricted base model and invoking it, causing the serv...

7.6CVSS5.8AI score0.00248EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/08 7:0 p.m.11 views

Cross-site Scripting (XSS)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS in the sanitizeResponseContent process. An attacker can execute arbitrary JavaScript in the browser of another user by crafting a malicious model description containing a markdown lin...

8.5CVSS7.2AI score0.00308EPSS
Exploits1References2
Chainguard
Chainguard
added 2026/05/06 7:17 p.m.13 views

CVE-2026-41168 vulnerabilities

Vulnerabilities for packages: litellm, open-webui, nemo...

6.9CVSS6.1AI score0.00297EPSS
Exploits0
Circl
Circl
added 2026/05/05 3:47 p.m.11 views

CVE-2026-44567

creationtimestamp| type| source ---|---|--- 2026-05-05 15:47:41+00:00| published-proof-of-concept| https://github.com/open-webui/open-webui/security/advisories/GHSA-4vg5-rp28-gvjf...

7.3CVSS5.8AI score0.0023EPSS
Exploits1References1
Wolfi
Wolfi
added 2026/04/29 8:1 p.m.11 views

GHSA-JJ6C-8H6C-HPPX vulnerabilities

Vulnerabilities for packages: open-webui...

5.2AI score
Exploits0
Vulnrichment
Vulnrichment
added 2026/04/01 5:2 p.m.2 views

CVE-2026-34222 Open WebUI has Broken Access Control in Tool Valves

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.11, there is a broken access control vulnerability in tool values. This issue has been patched in version 0.8.11...

7.7CVSS5.8AI score0.05271EPSS
Exploits1References2
NVD
NVD
added 2026/03/27 12:16 a.m.5 views

CVE-2026-29070

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base or is admin,...

8.1CVSS0.00252EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/03/27 12:0 a.m.9 views

Open WebUI 安全漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under open source. Versions of Open WebUI prior to 0.8.6 contained security vulnerabilities. These vulnerabilities stemmed from the lack of access control checks when deleting files from the knowledge base, which could...

8.1CVSS5.9AI score0.00252EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/03/26 11:37 p.m.1 views

CVE-2026-28786

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an unsanitized filename field in the speech-to-text transcription endpoint allows any authenticated non-admin user to trigger a FileNotFoundError whose message — including th...

4.3CVSS5.8AI score0.00427EPSS
Exploits1References2Affected Software1
Circl
Circl
added 2026/03/26 11:27 p.m.11 views

CVE-2026-29070

creationtimestamp| type| source ---|---|--- 2026-03-26 23:27:54+00:00| published-proof-of-concept| https://github.com/open-webui/open-webui/security/advisories/GHSA-26gm-93rw-cchf...

8.1CVSS5.8AI score0.00252EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/03/26 12:0 a.m.5 views

PT-2026-28385

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.6 Description Open WebUI is an artificial intelligence platform designed for offline operation. A missing access control check when deleting files from a knowledge base allows a user with write access to a...

5.4CVSS6AI score0.00252EPSS
Exploits1References6
EUVD
EUVD
added 2026/03/09 9:31 p.m.5 views

EUVD-2025-208453

A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/startwindows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUISECRETKEY leads to insufficiently random values. It is possible to launch the attack...

6.3CVSS5.3AI score0.00289EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/01/09 12:0 a.m.11 views

PT-2026-1997

Name of the Vulnerable Software and Affected Versions Open WebUI affected versions not specified Description A flaw exists in Open WebUI that allows network-adjacent attackers to disclose sensitive information. The issue stems from transmitting credentials in plaintext through an unspecified...

5.3CVSS5.5AI score0.00241EPSS
Exploits1References2
Chainguard
Chainguard
added 2026/01/07 1:30 a.m.7 views

CVE-2025-66019 vulnerabilities

Vulnerabilities for packages: nemo, open-webui...

8.7CVSS7AI score0.00313EPSS
Exploits0
Wolfi
Wolfi
added 2025/12/06 1:48 a.m.10 views

CVE-2025-66416 vulnerabilities

Vulnerabilities for packages: semgrep, open-webui...

8.1CVSS7AI score0.00463EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2025/12/04 6:30 p.m.7 views

open-webui is Vulnerable to Incorrect Access Control

open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers a normal user to stop arbitrary LLM response tasks...

4.3CVSS7.1AI score0.00263EPSS
Exploits1References4Affected Software1
EUVD
EUVD
added 2025/11/08 1:29 a.m.6 views

EUVD-2025-38253

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers vi...

7.3CVSS8.3AI score0.07874EPSS
Exploits1References3
Rows per page
Query Builder