Lucene search
K

7 matches found

RedhatCVE
RedhatCVE
added 2026/05/19 1:56 p.m.10 views

CVE-2026-45386

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, Pin/Unpin is a write operation modifies the message's ispinned , pinnedby, pinnedat fields, but in standard channels it only checks read permission, allowing users with read-only...

4.3CVSS5.8AI score0.00204EPSS
Exploits1References1
NVD
NVD
added 2026/05/15 9:16 p.m.23 views

CVE-2026-45386

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, Pin/Unpin is a write operation modifies the message's ispinned , pinnedby, pinnedat fields, but in standard channels it only checks read permission, allowing users with read-only...

4.3CVSS0.00204EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/15 8:36 p.m.15 views

EUVD-2026-30632

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, Pin/Unpin is a write operation modifies the message's ispinned , pinnedby, pinnedat fields, but in standard channels it only checks read permission, allowing users with read-only...

4.3CVSS5.8AI score0.00204EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/15 8:36 p.m.41 views

CVE-2026-45386 Open WebUI: An IDOR vulnerability exists in the pin_channel_message API endpoint

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, Pin/Unpin is a write operation modifies the message's ispinned , pinnedby, pinnedat fields, but in standard channels it only checks read permission, allowing users with read-only...

4.3CVSS0.00204EPSS
Exploits1References1
CVE
CVE
added 2026/05/15 8:36 p.m.36 views

CVE-2026-45386

Technical summary (CVE-2026-45386) Open WebUI’s pin_channel_message API endpoint exposes an IDOR vulnerability in standard channels. Prior to version 0.9.5, the endpoint checks only read permission for non-admin users, allowing read-only users to pin/unpin any message in channels where they have ...

4.3CVSS5.8AI score0.00204EPSS
Exploits1References1Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/14 8:25 p.m.12 views

Open WebUI has an IDOR vulnerability in the pin_channel_message API endpoint

Summary Pin/Unpin is a write operation modifies the message's ispinned , pinnedby, pinnedat fields, but in standard channels it only checks read permission, allowing users with read-only access to pin/unpin any message. Details...

4.3CVSS5.8AI score0.00204EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.17 views

PT-2026-41188

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.5 Description In standard channels, the pin and unpin operation incorrectly verifies only read permissions instead of write permissions. This allows users with read-only access to modify the is pinned, pinned b...

4.3CVSS5.8AI score0.00204EPSS
Exploits1References6
Rows per page
Query Builder