GHSA-JGJ3-R8HR-9PJW Open WebUI's Improper Authorization in Standard Channels Allows Message Updates with Read Permission

Vulnerability Description In standard channels i.e., channels whose channel.type is neither group nor dm, the endpoint POST /api/v1/channels/channelid/messages/messageid/update can be accessed with read permission only. When accesscontrol is set to None, the authorization check hasaccess...,...

GHSA-J3FW-WC48-29G3 Open WebUI Arbitrary File Write, Delete via Path Traversal

CONFIDENTIAL Vulnerability Disclosure Analysis Documentation ----------------------------------------------- Vulnerability Details --------------------- 1. Discoverer: Taylor Pennington of KoreLogic, Inc. 2. Date Submitted: June 11, 2024 3. Title: Open WebUI Arbitrary File Write, Delete via Path...

Open WebUI Arbitrary File Write, Delete via Path Traversal

CONFIDENTIAL Vulnerability Disclosure Analysis Documentation ----------------------------------------------- Vulnerability Details --------------------- 1. Discoverer: Taylor Pennington of KoreLogic, Inc. 2. Date Submitted: June 11, 2024 3. Title: Open WebUI Arbitrary File Write, Delete via Path...

GHSA-6XCP-7MPR-M7WM Open WebUI has a CORS misconfiguration and session validation issue

GitHub Security Lab GHSL Vulnerability Report, open-webui: GHSL-2024-174, GHSL-2024-175 The GitHub Security Lab team has identified potential security vulnerabilities in open-webui. We are committed to working with you to help resolve these issues. In this report you will find everything you need...

Open WebUI has a CORS misconfiguration and session validation issue

GitHub Security Lab GHSL Vulnerability Report, open-webui: GHSL-2024-174, GHSL-2024-175 The GitHub Security Lab team has identified potential security vulnerabilities in open-webui. We are committed to working with you to help resolve these issues. In this report you will find everything you need...

PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`

Summary The safeextractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does not validate member.linkname, does not reject symlink/hardlink members, and calls...

GHSA-9Q28-GHCR-C4X3 PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`

Summary The safeextractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does not validate member.linkname, does not reject symlink/hardlink members, and calls...

PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute

Summary praisonaiagents resolves unresolved tool names against module globals and main after it fails to match the declared tool list and the registry. With the default agent configuration, permallow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An...

GHSA-GMJG-HV98-QGGQ PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute

Summary praisonaiagents resolves unresolved tool names against module globals and main after it fails to match the declared tool list and the registry. With the default agent configuration, permallow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An...

PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection

Summary PraisonAI's MCP Model Context Protocol server praisonai mcp serve registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments and joi...

GHSA-9MQQ-JQXF-GRVW PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection

Summary PraisonAI's MCP Model Context Protocol server praisonai mcp serve registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments and joi...

GHSA-3643-7V76-5CJ2 PraisonAI knowledge-store backends interpolate unvalidated collection names into SQL and CQL queries

Summary PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection. Details This issue affec...

PraisonAI knowledge-store backends interpolate unvalidated collection names into SQL and CQL queries

Summary PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection. Details This issue affec...

PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution

Summary PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. Details The vulnerable server is the shippe...

GHSA-6RMH-7XCM-CPXJ PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution

Summary PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. Details The vulnerable server is the shippe...

kernel: crypto: algif_aead - Revert to operating out-of-place

A flaw was found in the Linux kernel's algifaead cryptographic algorithm interface. An incorrect in-place operation causes source and destination data mappings to differ during cryptographic processing. A low-privileged local attacker can exploit this flaw to corrupt the contents of sensitive...

kernel: crypto: algif_aead - Revert to operating out-of-place

A flaw was found in the Linux kernel's algifaead cryptographic algorithm interface. An incorrect in-place operation causes source and destination data mappings to differ during cryptographic processing. A low-privileged local attacker can exploit this flaw to corrupt the contents of sensitive...

Security Bulletin: IBM Integration Bus for z/OS webui is potentially vulnerable to an clickjacking attack ( CVE-2026-1353 )

Summary IBM Integration Bus for z/OS webui is potentially vulnerable to an clickjacking attack. Vulnerability Details CVEID:CVE-2026-1353 DESCRIPTION: IBM App Connect Enterprise could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious...

CLSA-2026-1778489316 java-1.8.0-openjdk: Fix of 8 CVEs

Update to shenandoah-jdk8u492-b09 - Security fixes from OpenJDK 8u492-b09: - CVE-2026-22003: enhance behavior of some intrinsics - CVE-2026-22007: enhance crypto algorithm support - CVE-2026-22013: improve Kerberos credentialing - CVE-2026-22018: enhance Zip file reading - CVE-2026-22021: enhance...

CLSA-2026-1778488897 java-1.8.0-openjdk: Fix of 8 CVEs

Update to shenandoah-jdk8u492-b09 - Security fixes from OpenJDK 8u492-b09: - CVE-2026-22003: enhance behavior of some intrinsics - CVE-2026-22007: enhance crypto algorithm support - CVE-2026-22013: improve Kerberos credentialing - CVE-2026-22018: enhance Zip file reading - CVE-2026-22021: enhance...