Confused ChatGPT: Cross-App Context Poisoning Via First-Party APIs

ChatGPT Apps, launched by OpenAI on Oct. 6, 2025, introduce an app-in-app paradigm in which third-party applications share a single chat context with the user and with every other connected app. The ecosystem grew from 122 apps in Dec. 2025 to 888 by May 2026, yet its security has remained...

EUVD-2026-30606

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/id when the target file is referenced in any shared chat. The hasaccesstofile...

CVE-2026-45671 Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/id when the target file is referenced in any shared chat. The hasaccesstofile...

CVE-2026-45671 Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/id when the target file is referenced in any shared chat. The hasaccesstofile...

CVE-2026-45671

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/id when the target file is referenced in any shared chat. The hasaccesstofile...

CVE-2026-45671

Open WebUI vulnerability CVE-2026-45671 affects the shared-chat branch in the file authorization path. The has_access_to_file() gate unconditionally returns True for shared-chat references, ignoring the requesting user identity and the operation type. This allows any authenticated user to delete ...

PT-2026-41201

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description An authorization bypass allows any authenticated user to permanently delete files owned by other users. This occurs when a target file is referenced in any shared chat, as the has access to file...

CVE-2026-6729

HKUDS OpenHarness prior to PR 159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to hijack other users' sessions by exploiting a shared ohmo session key that lacks sender identity verification. Attackers can reuse...

CVE-2026-26193 Open WebUI vulnerable to Stored XSS via iFrame embeds in response messages

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.44, aanually modifying chat history allows setting the embeds property on a response message, the content of which is loaded into an iFrame with a sandbox that has allow-scripts...

CVE-2026-26192 Open WebUI vulnerable to Stored XSS via iFrame in citations model

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, aanually modifying chat history allows setting the html property within document metadata. This causes the frontend to enter a code path that treats document contents as HTML...

PT-2025-30092 · Unknown · Perplexity Ai Gpt-4

Name of the Vulnerable Software and Affected Versions: Perplexity AI GPT-4 version 2.51.0 Description: An issue allows a remote attacker to obtain sensitive information via the token component in the shared chat URL. Recommendations: At the moment, there is no information about a newer version th...