22 matches found
CVE-2026-54009
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/chat/completions accepts an imageurl.url value that, when it does NOT start with http://, https://, or data:image/, is interpreted as a file id and resolved against the...
CVE-2026-54009 Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/chat/completions accepts an imageurl.url value that, when it does NOT start with http://, https://, or data:image/, is interpreted as a file id and resolved against the...
Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field
summary POST /api/chat/completions accepts an imageurl.url value that, when it does NOT start with http://, https://, or data:image/, is interpreted as a file id and resolved against the global file table with no ownership check. An authenticated user can therefore set imageurl.url to another...
GHSA-WCH8-MHJ5-9FRG Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field
summary POST /api/chat/completions accepts an imageurl.url value that, when it does NOT start with http://, https://, or data:image/, is interpreted as a file id and resolved against the global file table with no ownership check. An authenticated user can therefore set imageurl.url to another...
CVE-2026-45401 Open WebUI: SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the validateurl function in backend/openwebui/retrieval/web/utils.py only validates the initial URL submitted by the caller. The HTTP clients used downstream sync requests, async...
CVE-2026-45349
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a user just needs to use the API endpoint: /api/chat/completions with their own API key generated in OWUI and the Chat ID of another user to continue the conversation of the other...
EUVD-2026-30605
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a user just needs to use the API endpoint: /api/chat/completions with their own API key generated in OWUI and the Chat ID of another user to continue the conversation of the other...
CVE-2026-45349 Open WebUI: Broken Access Control for Completions API
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a user just needs to use the API endpoint: /api/chat/completions with their own API key generated in OWUI and the Chat ID of another user to continue the conversation of the other...
Open WebUI 安全漏洞
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under open source. Versions of Open WebUI prior to 0.9.0 contained security vulnerabilities. These vulnerabilities stemmed from the ability for users to continue a conversation with another user through...
Open WebUI 授权问题漏洞
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under the open source Open WebUI project. Versions of Open WebUI prior to 0.8.11 had an authorization issue vulnerability. This vulnerability stemmed from the internal bypassfilter parameter being exposed through FastA...
GHSA-V6QF-75PR-P96M Open WebUI: Authenticated users can bypass model access control via exposed query parameter [AI-ASSISTED]
Summary An internal-only bypassfilter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via FastAPI query string binding, allowing any authenticated user to append ?bypassfilter=true and bypass model access control checks to invoke admin-restricted models...
QuantumNous/new-api has an SSRF Filter Bypass via 0.0.0.0
SSRF Filter Bypass via 0.0.0.0 Summary The SSRF protection introduced in v0.9.0.5 CVE-2025-59146 and hardened in v0.9.6 CVE-2025-62155 does not block the unspecified address 0.0.0.0. A regular non-admin user holding any valid API token can send a multimodal request to /v1/chat/completions,...
CVE-2025-62426
A vulnerability in vLLM allows an authenticated user to trigger unintended tokenization during chat template processing by supplying crafted chattemplatekwargs to the /v1/chat/completions or /tokenize endpoints. By forcing the server to tokenize very large inputs, an attacker can block the API...
CVE-2025-62426
vLLM is an inference and serving engine for large language models LLMs. From version 0.5.5 to before 0.11.1, the /v1/chat/completions and /tokenize endpoints allow a chattemplatekwargs request parameter that is used in the code before it is properly validated against the chat template. With the...
CVE-2025-62426
Summary: CVE-2025-62426 affects vLLM up to versions before 0.11.1. The /v1/chat/completions and /tokenize endpoints accept a chat_template_kwargs parameter that is used before validation, allowing an attacker to block the API server by forcing large tokenization tasks and delaying all other reque...
CVE-2025-62426 vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs`
vLLM is an inference and serving engine for large language models LLMs. From version 0.5.5 to before 0.11.1, the /v1/chat/completions and /tokenize endpoints allow a chattemplatekwargs request parameter that is used in the code before it is properly validated against the chat template. With the...
CVE-2025-62426 vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs`
vLLM is an inference and serving engine for large language models LLMs. From version 0.5.5 to before 0.11.1, the /v1/chat/completions and /tokenize endpoints allow a chattemplatekwargs request parameter that is used in the code before it is properly validated against the chat template. With the...
SQL Injection
Overview airda is an airda Affected versions of this package are vulnerable to SQL Injection via the execute function in the /v1/chat/completions file when processing the question argument. An attacker can access or modify sensitive data, or disrupt application functionality by sending crafted...
hitsz-ids airda 注入漏洞
hitsz-ids airda is an open source multi-intelligence for data analytics by China's HITZ Shenzhen Data Security Research Institute hitsz-ids. An injection vulnerability exists in hitsz-ids airda version 0.0.3, which stems from SQL injection due to incorrect manipulation of the parameter question i...
CVE-2025-48944
vLLM is an inference and serving engine for large language models LLMs. In version 0.8.0 up to but excluding 0.9.0, the vLLM backend used with the /v1/chat/completions OpenAPI endpoint fails to validate unexpected or malformed input in the "pattern" and "type" fields when the tools functionality ...