Lucene search
K

15 matches found

NVD
NVD
added 6 days ago8 views

CVE-2026-59225

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The...

6.3CVSS0.00211EPSS
Exploits0References4
Cvelist
Cvelist
added 6 days ago35 views

CVE-2026-59225 Open WebUI: Arena task endpoints can bypass underlying model access controls

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The...

5.4CVSS0.00211EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 6 days ago11 views

CVE-2026-59225

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The...

5.4CVSS6AI score0.00211EPSS
Exploits0References5Affected Software1
CVE
CVE
added 6 days ago14 views

CVE-2026-59225

Open WebUI vulnerability CVE-2026-59225 affects versions 0.8.12 up to before 0.10.0. An authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model via task endpoints like /api/v1/tasks/moa/completions. The normal chat flow re-checks submodel ac...

6.3CVSS6AI score0.00211EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 6 days ago8 views

EUVD-2026-42639

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The...

5.4CVSS6AI score0.00211EPSS
Exploits0References4
OSV
OSV
added 6 days ago3 views

CVE-2026-59225 Open WebUI: Arena task endpoints can bypass underlying model access controls

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The...

5.4CVSS6.1AI score0.00211EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 6 days ago7 views

PT-2026-56888

Name of the Vulnerable Software and Affected Versions Open WebUI versions 0.8.12 through 0.9.x Description An authenticated non-admin user with read access to an arena wrapper model can access a restricted underlying model. This occurs because task endpoints, such as...

6.3CVSS6.2AI score0.00211EPSS
Exploits0References9
EUVD
EUVD
added 2026/06/30 3:56 p.m.8 views

EUVD-2026-40356

RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task FlwTaskController without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global...

7.1CVSS5.9AI score0.00264EPSS
Exploits0References3
OSV
OSV
added 2026/06/30 3:56 p.m.2 views

CVE-2026-58176 RuoYi-Vue-Plus - Missing Authorization on Workflow Task Management Endpoints

RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task FlwTaskController without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global...

7.1CVSS6AI score0.00264EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.10 views

PT-2026-53926

Name of the Vulnerable Software and Affected Versions RuoYi-Vue-Plus versions prior to 5.6.3 Description The software exposes workflow task management endpoints under '/workflow/task' FlwTaskController without proper permission checks. Because the controller lacks class-level or method-level...

7.1CVSS6AI score0.00264EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2026/04/08 7:57 p.m.4 views

CVE-2026-22680

OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/taskid routes withou...

6.9CVSS5.9AI score0.00384EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/07 6:31 p.m.5 views

EUVD-2026-19744

OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/taskid routes withou...

6.9CVSS5.9AI score0.00384EPSS
Exploits1References5
NVD
NVD
added 2026/04/07 6:16 p.m.4 views

CVE-2026-22680

OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/taskid routes withou...

6.9CVSS0.00384EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/04/07 5:8 p.m.2 views

CVE-2026-22680

OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/taskid routes withou...

6.9CVSS5.9AI score0.00384EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/04/07 5:8 p.m.21 views

CVE-2026-22680 OpenViking < 0.3.3 Missing Authorization via Task Polling

OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/taskid routes withou...

6.9CVSS0.00384EPSS
Exploits1References4
Rows per page
Query Builder