Insertion of Sensitive Information Into Sent Data

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data through the getmodelbyid handler in routers/models.py. An attacker can read the admin-curated system prompt and other model behavior settings by sending a GET...

September 9, 2025—KB5065511 (Security-only update)

September 9, 2025—KB5065511 Security-only update Windows Secure Boot certificate expirationImportant: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Microsoft has been updating these certificates on consumer and non-managed business devices for the...

CVE-2024-7045

In version v0.3.8 of open-webui/open-webui, improper access control vulnerabilities allow an attacker to view any prompts. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the /api/v1/prompts/ interface to retrieve all prompt...

CVE-2024-7045

In open-webui/open-webui v0.3.8, an improper access-control vulnerability allows attackers to read prompts via unauthenticated/admin verification by calling /api/v1/prompts/ to retrieve admin-created prompt data (including IDs) and then /api/v1/prompts/command/{command_id} for additional prompt i...