Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline

A French-speaking attacker broke into a small French automotive business, planted a keylogger, and stole banking and email credentials. Ordinary stuff, until one move near the end. Before his command-and-control server went dark, he installed OpenSSH and Tailscale on a victim's machine, building ...

CVE-2026-12199

A flaw was found in the nltk component, specifically in the nltk.app.wordnetapp. An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted GET request to the WordNet Browser HTTP server when it is running in its default mode. This allows the attacker to...

GHSA-4R4W-2WGP-W7CJ Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion

Summary Open WebUI's prompt version-history endpoints authorize the promptid in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt historyentry.promptid == prompt.id. Three operations are affected: - GET...

Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion

Summary Open WebUI's prompt version-history endpoints authorize the promptid in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt historyentry.promptid == prompt.id. Three operations are affected: - GET...

GHSA-J2C8-V969-8R5C Open WebUI: Sibling-Prefix Path Traversal via /cache/{path}

Summary A path traversal vulnerability exists in open-webui's cache file serving endpoint that allows any authenticated user to read files from sibling directories outside the intended cache directory, by exploiting an incomplete startswith containment check that lacks a trailing path separator...

Open WebUI: Sibling-Prefix Path Traversal via /cache/{path}

Summary A path traversal vulnerability exists in open-webui's cache file serving endpoint that allows any authenticated user to read files from sibling directories outside the intended cache directory, by exploiting an incomplete startswith containment check that lacks a trailing path separator...

GHSA-V2QM-5WXJ-QHJ7 Open WebUI: Stored XSS to Account Takeover via Model Profile Images

Stored XSS to Account Takeover via Model Profile Images in Open WebUI Affected: Open WebUI tags. On the output side, users.py added a MIME allowlist check and X-Content-Type-Options: nosniff. The fix was applied to UserUpdateForm, UpdateProfileForm, and later to ChannelWebhookForm. Three models...

Open WebUI: Stored XSS to Account Takeover via Model Profile Images

Stored XSS to Account Takeover via Model Profile Images in Open WebUI Affected: Open WebUI tags. On the output side, users.py added a MIME allowlist check and X-Content-Type-Options: nosniff. The fix was applied to UserUpdateForm, UpdateProfileForm, and later to ChannelWebhookForm. Three models...

GHSA-VJQM-6GCC-62CR Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion

Summary Open WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their model without checking whether they own or can read the referenced files. Open WebUI then treats meta.knowledge entries of type file as an authorization source in two...

Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion

Summary Open WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their model without checking whether they own or can read the referenced files. Open WebUI then treats meta.knowledge entries of type file as an authorization source in two...

Open WebUI: Forged chat-file link allows cross-user file read and deletion

Summary Open WebUI v0.9.5 lets an authenticated user attach arbitrary fileid values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, hasaccesstofile treats the victim file as accessible...

GHSA-VRHC-3FR6-PC3C Open WebUI: Forged chat-file link allows cross-user file read and deletion

Summary Open WebUI v0.9.5 lets an authenticated user attach arbitrary fileid values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, hasaccesstofile treats the victim file as accessible...

GHSA-WCH8-MHJ5-9FRG Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field

summary POST /api/chat/completions accepts an imageurl.url value that, when it does NOT start with http://, https://, or data:image/, is interpreted as a file id and resolved against the global file table with no ownership check. An authenticated user can therefore set imageurl.url to another...

Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field

summary POST /api/chat/completions accepts an imageurl.url value that, when it does NOT start with http://, https://, or data:image/, is interpreted as a file id and resolved against the global file table with no ownership check. An authenticated user can therefore set imageurl.url to another...

Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url` (incomplete-fix sibling of CVE-2026-45401)

Summary backend/openwebui/utils/oauth.py::processpictureurl v0.9.5, lines 1435-1470 calls validateurlpictureurl on the initial URL only, then invokes aiohttp.ClientSession.getpictureurl, ... without allowredirects=False. aiohttp's default is allowredirects=True, maxredirects=10; the function does...

GHSA-226F-F24G-524W Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url` (incomplete-fix sibling of CVE-2026-45401)

Summary backend/openwebui/utils/oauth.py::processpictureurl v0.9.5, lines 1435-1470 calls validateurlpictureurl on the initial URL only, then invokes aiohttp.ClientSession.getpictureurl, ... without allowredirects=False. aiohttp's default is allowredirects=True, maxredirects=10; the function does...

GHSA-F3G7-59QC-PQG6 Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar

Summary POST /api/v1/calendars/events/eventid/update validates that the caller has write access to the calendar the event currently belongs to, but does not validate the destination calendarid supplied in the request body. The model layer then persists the new calendarid unconditionally. A regula...

Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar

Summary POST /api/v1/calendars/events/eventid/update validates that the caller has write access to the calendar the event currently belongs to, but does not validate the destination calendarid supplied in the request body. The model layer then persists the new calendarid unconditionally. A regula...

Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services

Summary There is a high severity vulnerability in Traefik's Kubernetes Gateway provider affecting the crossProviderNamespaces allowlist. For HTTPRoute rules that declare multiple WRR backendRefs, Traefik evaluates the allowlist against the target backendRef.namespace instead of the route's own...

GHSA-3G6V-2R68-PRFC Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services

Summary There is a high severity vulnerability in Traefik's Kubernetes Gateway provider affecting the crossProviderNamespaces allowlist. For HTTPRoute rules that declare multiple WRR backendRefs, Traefik evaluates the allowlist against the target backendRef.namespace instead of the route's own...