CVE-2026-45666

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, the API /api/v1/notes/noteid endpoint lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or enumerating UUIDs. Th...

CVE-2026-45666

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, the API /api/v1/notes/noteid endpoint lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or enumerating UUIDs. Th...

Open WebUI has an Indirect Object Reference (IDOR) in user notes

Summary The API /api/v1/notes/noteid endpoint lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or enumerating UUIDs. This results in unauthorized disclosure of potentially sensitive or private user data. Details - if notes is...

PT-2026-41199

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.11 Description The API endpoint '/api/v1/notes/note id' lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or enumerating note id UUIDs. This...

SUSE CVE-2019-15725

An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. An IDOR in the epic notes API that could result in disclosure of private milestones, labels, and other information...

CVE-2019-15725

CVE-2019-15725 affects GitLab Community and Enterprise Edition 12.0–12.2.1. The issue is an Insecure Direct Object Reference (IDOR) in the Epic Notes API that can disclose private milestones, labels, and other information. Root cause: improper access control on epic notes data. Impact: disclosure...

GitLab Information Disclosure Vulnerability (CNVD-2019-30780)

GitLab is a Ruby on Rails-developed, self-hosted, Git version control system project repository application from the American company GitLab. The program can be used to access a project's file contents, commit history, bug lists, and more. A security vulnerability exists in the Epic Notes API in...

CVE-2002-0037

Lotus Domino Servers 5.x, 4.6x, and 4.5x allows attackers to bypass the intended Reader and Author access list for a document's object via a Notes API call NSFDbReadObject that directly accesses the object...

CVE-2002-0037

Lotus Domino Servers 5.x, 4.6x, and 4.5x allows attackers to bypass the intended Reader and Author access list for a document's object via a Notes API call NSFDbReadObject that directly accesses the object...