Insertion of Sensitive Information Into Sent Data

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data through the getmodelbyid handler in routers/models.py. An attacker can read the admin-curated system prompt and other model behavior settings by sending a GET...

September 9, 2025—KB5065511 (Security-only update)

September 9, 2025—KB5065511 Security-only update Windows Secure Boot certificate expiration Important: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. This might affect the ability of certain personal and business devices to boot securely if not...

CVE-2024-7045

In version v0.3.8 of open-webui/open-webui, improper access control vulnerabilities allow an attacker to view any prompts. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the /api/v1/prompts/ interface to retrieve all prompt...

CVE-2024-7045

In open-webui/open-webui v0.3.8, an improper access-control vulnerability allows attackers to read prompts via unauthenticated/admin verification by calling /api/v1/prompts/ to retrieve admin-created prompt data (including IDs) and then /api/v1/prompts/command/{command_id} for additional prompt i...