CVE-2026-45339 Open WebUI: API key endpoint restrictions bypassed via `x-api-key` header — full message processing on restricted endpoints

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI allows admins to restrict which API endpoints an API key can access. When an API key is restricted from /api/v1/messages, requests using the Authorization: Bearer sk-...

CVE-2026-45339 Open WebUI: API key endpoint restrictions bypassed via `x-api-key` header — full message processing on restricted endpoints

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI allows admins to restrict which API endpoints an API key can access. When an API key is restricted from /api/v1/messages, requests using the Authorization: Bearer sk-...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the REST layer when processing malformed HTTP requests. An attacker can gain unauthorized access to restricted API endpoints by crafting specially formed HTTP requests. This is only exploitable if custom plugi...

PYSEC-2026-170

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

CVE-2026-1114 Improper Access Control via Weak JWT Token in parisneo/lollms

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

CVE-2026-1114

CVE-2026-1114 affects parisneo/lollms 2.1.0. The issue is an improper access control flaw caused by signing JWTs with a weak secret key, enabling an offline brute‑force to recover the key. With the cracked secret, an attacker can forge administrative tokens, modify the JWT payload, and resigns to...

CVE-2026-1114 Improper Access Control via Weak JWT Token in parisneo/lollms

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

PT-2026-30796

Name of the Vulnerable Software and Affected Versions parisneo/lollms versions prior to 2.2.0 Description Session management is subject to improper access control because a weak secret key is used for signing JSON Web Tokens JWT. This allows an attacker to conduct an offline brute-force attack to...

CVE-2026-30702

The WiFi Extender WDR201A HW V2.1, FW LFMZX28040922V1.02 implements a broken authentication mechanism in its web management interface. The login page does not properly enforce session validation, allowing attackers to bypass authentication by directly accessing restricted web application endpoint...

CVE-2025-71257

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability due to improper enforcement of security filters on restricted REST API endpoints and servlets. Unauthenticated remote attackers can bypass access controls to invoke restricted functionality a...

Origin Validation Error

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Origin Validation Error via the @localcheck decorator. An attacker can gain unauthorized access to restricted API endpoints by spoofing the Host header in...

CVE-2025-71257

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability due to improper enforcement of security filters on restricted REST API endpoints and servlets. Unauthenticated remote attackers can bypass access controls to invoke restricted functionality a...

CVE-2025-71257

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability due to improper enforcement of security filters on restricted REST API endpoints and servlets. Unauthenticated remote attackers can bypass access controls to invoke restricted functionality a...

CVE-2025-71257 BMC FootPrints ITSM 20.20.02 <= 20.24.01.001 Authentication Bypass

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability due to improper enforcement of security filters on restricted REST API endpoints and servlets. Unauthenticated remote attackers can bypass access controls to invoke restricted functionality a...

CVE-2025-71257

BMC FootPrints ITSM versions 20.20.02–20.24.01.001 are affected by an authentication bypass in restricted REST API endpoints and servlets. The Nuclei template details an authentication bypass in the password reset flow: an unauthenticated actor can obtain a valid SEC_TOKEN via /footprints/service...

CVE-2025-71257 BMC FootPrints ITSM 20.20.02 <= 20.24.01.001 Authentication Bypass

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability due to improper enforcement of security filters on restricted REST API endpoints and servlets. Unauthenticated remote attackers can bypass access controls to invoke restricted functionality a...

BMC FootPrints 访问控制错误漏洞

BMC FootPrints is an IT service management and ticket tracking system provided by the American company BMC. Versions of BMC FootPrints prior to 20.24.01.001 contained a security vulnerability related to access control. This vulnerability stemmed from improper execution of security filters for...

EUVD-2026-12874

The WiFi Extender WDR201A HW V2.1, FW LFMZX28040922V1.02 implements a broken authentication mechanism in its web management interface. The login page does not properly enforce session validation, allowing attackers to bypass authentication by directly accessing restricted web application endpoint...

CVE-2026-30702

The WiFi Extender WDR201A HW V2.1, FW LFMZX28040922V1.02 implements a broken authentication mechanism in its web management interface. The login page does not properly enforce session validation, allowing attackers to bypass authentication by directly accessing restricted web application endpoint...

CVE-2026-30702

The WiFi Extender WDR201A HW V2.1, FW LFMZX28040922V1.02 implements a broken authentication mechanism in its web management interface. The login page does not properly enforce session validation, allowing attackers to bypass authentication by directly accessing restricted web application endpoint...