Lucene search
K

72 matches found

EUVD
EUVD
added 2026/05/15 7:12 p.m.25 views

EUVD-2026-30607

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use a TOCTOU Time-of-Check-Time-of-Use pattern for first-user admin role assignment. The regular signup handler signuphandler in auths.py, line...

8.1CVSS5.9AI score0.00354EPSS
Exploits1References3
EUVD
EUVD
added 2026/04/01 8:25 p.m.3 views

EUVD-2026-17977

Open WebUI has Broken Access Control in Tool Valves...

7.7CVSS5.9AI score0.05271EPSS
Exploits1References3
CVE
CVE
added 2026/04/01 5:2 p.m.11 views

CVE-2026-34222

Affected product: Open WebUI, a self-hosted offline AI platform. Issue: broken access control in tool values prior to version 0.8.11. Impact: potential exposure due to access control bypass; CVSS 3.1 base score 7.7 (HIGH) with Network attack vector, low privileges required, no user interaction, c...

7.7CVSS5.8AI score0.05271EPSS
Exploits1References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/28 4:56 a.m.12 views

CVE-2026-29071

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users' private memories via /api/v1/retrieval/query/collection. Version 0.8.6 patches the issue...

4.3CVSS5.9AI score0.00253EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/27 3:35 p.m.3 views

EUVD-2026-16484

Open WebUI has unauthorized deletion of knowledge files...

5.4CVSS5.9AI score0.00252EPSS
Exploits1References3
EUVD
EUVD
added 2026/03/27 3:34 p.m.5 views

EUVD-2026-16482

Open WebUI's processfilesbatch endpoint missing ownership check, allows unauthorized file overwrite...

7.1CVSS5.8AI score0.02858EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/26 11:54 p.m.2 views

CVE-2026-29071

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users' private memories via /api/v1/retrieval/query/collection. Version 0.8.6 patches the issue...

3.1CVSS5.8AI score0.00253EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/26 11:39 p.m.3 views

CVE-2026-29070

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base or is admin,...

5.4CVSS5.9AI score0.00252EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/02/19 7:15 p.m.17 views

CVE-2026-26193

Open WebUI (self-hosted, offline) is affected prior to v0.6.44. The vulnerability arises from allowing manual modification of chat history to set the embeds property on a response message, which is loaded into an iframe with an aggressive sandbox (allow-scripts and allow-same-origin) that bypasse...

7.3CVSS5.5AI score0.00198EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.6 views

PT-2026-20917

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.7.0 Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Modifying chat history before version 0.7.0 allows manipulation of the html property within...

7.3CVSS4.8AI score0.00194EPSS
Exploits1References21
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.8 views

PT-2026-20918

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.6.44 Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Manually modifying chat history allows setting the embeds property on a response message. The...

7.3CVSS4.8AI score0.00198EPSS
Exploits1References13
CVE
CVE
added 2025/05/05 6:50 p.m.96 views

CVE-2025-46719

Open WebUI vulnerability CVE-2025-46719 affects versions prior to 0.6.6. A flaw in rendering certain HTML tags in chat messages allows stored cross-site scripting (XSS) in chat transcripts, which are accessible by other users on the same server or via Open WebUI community sharing. In the user’s b...

6.4CVSS6.5AI score0.00449EPSS
Exploits1References3Affected Software1
Rows per page
Query Builder