hubzoid (>=0.2.2 <=0.4.5), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-45396 via open-webui (>=0.6.0 <=0.8.8)

open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-45396 Source advisory: SNYK:PYTHON-OPENWEBUI-16755166...

GHSA-RJMP-VJF2-QF4G Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation

Mass Assignment in Feedback Creation Allows User ID Spoofing and Evaluation Data Manipulation Summary The POST /api/v1/evaluations/feedback endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via FeedbackForm, which uses modelconfig = ConfigDictextra='allow'. Due to an insecure...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes through the FeedbackForm and insertnewfeedback paths in backend/openwebui/models/feedbacks.py. An attacker can forge feedback...

Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation

Mass Assignment in Feedback Creation Allows User ID Spoofing and Evaluation Data Manipulation Summary The POST /api/v1/evaluations/feedback endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via FeedbackForm, which uses modelconfig = ConfigDictextra='allow'. Due to an insecure...

Incorrect Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Incorrect Authorization through the updatetoolsbyid handler in routers/tools.py. An attacker can execute arbitrary Python code on the server by sending a tool update that modifies the tool's content after...

NPM: Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution

NPM: Open WebUI: Missing workspace.tools Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution vulnerability discovered by ? in WordPress Npm open-webui versions 0.9.5...

Insertion of Sensitive Information Into Sent Data

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data through the getmodelbyid handler in routers/models.py. An attacker can read the admin-curated system prompt and other model behavior settings by sending a GET...

Open WebUI has an IDOR vulnerability in the pin_channel_message API endpoint

Summary Pin/Unpin is a write operation modifies the message's ispinned , pinnedby, pinnedat fields, but in standard channels it only checks read permission, allowing users with read-only access to pin/unpin any message. Details...

Authorization Bypass Through User-Controlled Key

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the updatemessagebyid and deletemessagebyid handlers in channels.py. An attacker can overwrite or remove another member’s group or direct message conte...

Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint

Summary An IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members including administrators within the same channel. This vulnerability affects the latest version v0.8.12 of Open WebUI. Details In the updatemessagebyid...

Improper Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Improper Authorization via the bypassfilter parameter in the HTTP query string, which is unintentionally exposed in the route handler. An attacker can gain unauthorized access to restricted models by appendin...

Information Exposure

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Information Exposure via the api/models endpoint. An attacker can access sensitive system prompt information by sending authenticated requests as a non-admin user. Remediation Upgrade open-webui to version...

hubzoid (>=0.2.2 <=0.4.5), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-45351 via open-webui (>=0.6.0 <=0.8.8)

open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-45351 Source advisory: OSV:GHSA-JH9G-8JQW-M2QX...

GHSA-JH9G-8JQW-M2QX Open WebUI Exposes System Prompt to Regular User [Non-Admin]

Summary A regular user non-admin can view the system prompt of the model which is set by an admin. Details When a regular user non-admin logs into the application, a http://IP:8080/api/models? web request is initiated by the application and in response, it reveals the system prompt of available...

GHSA-4PCG-253R-RF9W Open WebUI's chat completion API allows tool restrictions to be bypassed

Summary Open WebUI v0.6.43 contains a vulnerability in its chat completion API, which allows attackers to bypass tool restrictions, potentially enabling unauthorized actions or access. Details In the chatcompletion API, the parameters toolids and toolservers are supplied by the user. These...

Missing Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authorization via the chatcompletion API when user-supplied toolids or toolservers parameters are processed without verifying the user's permissions. An attacker can gain unauthorized access to...

Authorization Bypass Through User-Controlled Key

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the chatcompletion process. An attacker can access and continue another user's conversation by supplying a known Chat ID in API requests. This is only...

Open WebUI has Broken Access Control for Completions API

Summary Any user X can continue the conversation of any other user Y, as long as the Chat ID of Y is known. User X does not even need to be an admin to do so. Details A user just needs to use the API endpoint: /api/chat/completions with their own API key generated in OWUI and the Chat ID of anoth...

GHSA-GFM2-XM6C-37QC Open WebUI has Broken Access Control for Completions API

Summary Any user X can continue the conversation of any other user Y, as long as the Chat ID of Y is known. User X does not even need to be an admin to do so. Details A user just needs to use the API endpoint: /api/chat/completions with their own API key generated in OWUI and the Chat ID of anoth...

Server-side Request Forgery (SSRF)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the pdf generate process. An attacker can cause the server to initiate arbitrary outbound HTTP requests by injecting crafted HTML, such as an tag, into user-controllable...