Lucene search
+L

26 matches found

nvd
nvd
added 2026/07/09 5:17 p.m.6 views

CVE-2026-59222

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers.key and webhook configuration, allowing a normal channel...

6.5CVSS0.00265EPSS
Exploits1References3
redhat
redhat
added 2026/06/25 5:36 p.m.7 views

keycloak: Keycloak: Information disclosure due to user profile permission bypass

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied,...

2.7CVSS5.7AI score0.00348EPSS
Exploits0References4
redhat
redhat
added 2026/06/10 5:38 p.m.11 views

keycloak: Keycloak: Information disclosure due to user profile permission bypass

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied,...

2.7CVSS5.3AI score0.00348EPSS
Exploits0References4
cvelist
cvelist
added 2026/06/05 7:52 a.m.48 views

CVE-2026-9088 Keycloak: keycloak: information disclosure due to user profile permission bypass

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied,...

2.7CVSS0.00348EPSS
Exploits0References6
attackerkb
attackerkb
added 2026/06/05 7:52 a.m.8 views

CVE-2026-9088

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied,...

2.7CVSS5.4AI score0.00348EPSS
Exploits0References7
euvd
euvd
added 2026/06/05 7:52 a.m.12 views

EUVD-2026-34790

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied,...

2.7CVSS5.4AI score0.00348EPSS
Exploits0References2
redhatcve
redhatcve
added 2026/06/05 7:48 a.m.12 views

CVE-2026-9088

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied,...

2.7CVSS5AI score0.00348EPSS
Exploits0References3
vulnrichment
vulnrichment
added 2026/05/15 7:41 p.m.13 views

CVE-2026-44559 Open WebUI: Missing Access Check on Channel Members Endpoint for Standard Channels

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the GET /api/v1/channels/id/members endpoint only checks membership for group and dm channel types lines 467-469. For standard channels — including private ones — there is no...

4.3CVSS5.8AI score0.00221EPSS
Exploits1References1
osv
osv
added 2026/05/15 7:41 p.m.5 views

CVE-2026-44559 Open WebUI: Missing Access Check on Channel Members Endpoint for Standard Channels

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the GET /api/v1/channels/id/members endpoint only checks membership for group and dm channel types lines 467-469. For standard channels — including private ones — there is no...

4.3CVSS6AI score0.00221EPSS
Exploits1References3
github
github
added 2026/05/08 7:51 p.m.16 views

Open WebUI Missing Access Check on Channel Members Endpoint for Standard Channels

Missing Access Check on Channel Members Endpoint for Standard Channels Affected Component Channel members listing endpoint: - backend/openwebui/routers/channels.py lines 445-507, getchannelmembersbyid Affected Versions Current main branch and likely all versions with the channels feature...

4.3CVSS5.8AI score0.00221EPSS
Exploits1References3Affected Software1
ptsecurity
ptsecurity
added 2026/05/08 12:0 a.m.14 views

PT-2026-39276

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description An issue exists in the 'GET /api/v1/channels/id/members' endpoint where membership checks are only performed for group and dm channel types. For standard channels, including private ones, the syst...

4.3CVSS6.1AI score0.00221EPSS
Exploits1References12
vulnrichment
vulnrichment
added 2026/01/05 5:46 p.m.3 views

CVE-2025-59955 Coolify leaksensitive information `email_change_code` in `/api/v1/teams/{team_id | current}/members` API endpoint

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the /api/v1/teams/teamid/members and /api/v1/teams/current/members API endpoints allows...

7.1CVSS5.8AI score0.00252EPSS
Exploits1References1
cve
cve
added 2026/01/05 5:46 p.m.15 views

CVE-2025-59955

Coolify (versions ≤ 4.0.0-beta.420.8) has an information disclosure in /api/v1/teams/{team_id}/members and /api/v1/teams/current/members, allowing authenticated team members to access the email_change_code of other users on the same team. This code is intended for single-use email-change verifica...

7.1CVSS5.8AI score0.00252EPSS
Exploits1References1Affected Software1
osv
osv
added 2026/01/02 3:42 p.m.7 views

CVE-2025-69284 In plane.io, a Guest User to a Workspace can still be able to see list of members

Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https://app.plane.so/:slug/settings. Prior to Plane version 1.2.0, a problem occurs when the /api/workspaces/:slug/members/ is accessible by guest and able to list of users on a...

4.3CVSS6.7AI score0.00162EPSS
Exploits0References3
osv
osv
added 2025/12/05 2:2 p.m.5 views

CVE-2025-14086 youlaitech youlai-mall openid access control

A vulnerability was found in youlaitech youlai-mall 1.0.0/2.0.0. Affected is an unknown function of the file /app-api/v1/members/openid/. The manipulation of the argument openid results in improper access controls. The attack can be executed remotely. The exploit has been made public and could be...

5.3CVSS6.2AI score0.00277EPSS
Exploits1References6
ptsecurity
ptsecurity
added 2025/12/05 12:0 a.m.11 views

PT-2025-49176

Name of the Vulnerable Software and Affected Versions youlaitech youlai-mall versions 1.0.0 through 2.0.0 Description A flaw exists in the getMemberById function located in the /mall-ums/app-api/v1/members/ file. The issue stems from improper access controls when handling the memberId argument,...

6.5CVSS6.4AI score0.00225EPSS
Exploits1References9
susecve
susecve
added 2025/11/09 12:37 a.m.3 views

SUSE CVE-2025-10545

Mattermost versions 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the /api/v4/channels/channelid/members endpoint...

4.3CVSS6.9AI score0.00302EPSS
Exploits0References2
cnvd
cnvd
added 2025/10/21 12:0 a.m.3 views

Unspecified Vulnerability in Mattermost (CNVD-2025-24795)

Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. Mattermost suffers from a security vulnerability that can be exploited by an attacker to cause guest users to add arbitrary team members to their private channels via the...

4.3CVSS7AI score0.00302EPSS
Exploits0References1
nvd
nvd
added 2025/10/16 9:15 a.m.8 views

CVE-2025-10545

Mattermost versions 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the /api/v4/channels/channelid/members endpoint...

4.3CVSS0.00302EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2025/10/16 8:24 a.m.2 views

CVE-2025-10545 Guest user can add unauthorized team users to private channels

Mattermost versions 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the /api/v4/channels/channelid/members endpoint...

3.1CVSS6.4AI score0.00302EPSS
Exploits0References1
Rows per page
Query Builder