CVE-2026-59215
Open WebUI prior to 0.10.0 contains a cross-channel thread context exposure bug: channel thread parent_id binding did not bind to the URL, allowing an authenticated user to reference a message from another private or DM channel and disclose thread context across channels. The issue is fixed in ve...