2 matches found
CVE-2026-59213 Open WebUI: Cross-user model-list exposure via static cache key in get_all_models (aiocache key= vs key_builder= misuse)
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, getallmodels handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of keybuilder, causing permission-filtered per-user model lists to share a stat...
CVE-2026-59213
Open WebUI (self-hosted AI platform) is affected in versions 0.6.27–0.10.0 by a bug in get_all_models handlers (routers/openai.py and routers/ollama.py) where a lambda was passed to aiocache key instead of key_builder. This caused permission-filtered per-user model lists to share a static cache e...