15 matches found
CVE-2026-44566
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, when attaching files to a promp, the name of the file is derived from the original HTTP upload request and is not validated or sanitized. This allows for users to upload files with...
CVE-2026-44567
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is...
CVE-2026-44566
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, when attaching files to a promp, the name of the file is derived from the original HTTP upload request and is not validated or sanitized. This allows for users to upload files with...
EUVD-2026-30641
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, when attaching files to a promp, the name of the file is derived from the original HTTP upload request and is not validated or sanitized. This allows for users to upload files with...
CVE-2026-44566 Open WebUI: Arbitrary File Upload and Path Traversal
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, when attaching files to a promp, the name of the file is derived from the original HTTP upload request and is not validated or sanitized. This allows for users to upload files with...
CVE-2026-44566 Open WebUI: Arbitrary File Upload and Path Traversal
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, when attaching files to a promp, the name of the file is derived from the original HTTP upload request and is not validated or sanitized. This allows for users to upload files with...
CVE-2026-44566
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, when attaching files to a promp, the name of the file is derived from the original HTTP upload request and is not validated or sanitized. This allows for users to upload files with...
CVE-2026-44567
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is...
CVE-2026-44567 Open WebUI: Open WebUI Improper Authorization Control
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is...
EUVD-2026-30643
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is...
CVE-2026-44567
Open WebUI improperly authorizes users with a pending role. The CVE describes that prior to v0.1.124 the API does not validate that a user has an authorized role, allowing a pending user to access endpoints intended for authenticated users. Technical details show get_current_user() validates JWTs...
CVE-2026-44567 Open WebUI: Open WebUI Improper Authorization Control
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is...
Open WebUI 安全漏洞
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI that is open source. Versions of Open WebUI prior to 0.1.124 contained security vulnerabilities. These vulnerabilities stemmed from APIs that did not properly verify whether the user had the authorized user role. When...
Arbitrary File Upload
Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Arbitrary File Upload via the storedoc process. An attacker can write arbitrary files to locations outside the intended upload directory by supplying crafted filenames containing path traversal sequences in t...
Missing Authorization
Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authorization in the authentication process. An attacker can gain unauthorized access to user-level API endpoints by registering an account, obtaining a valid JWT while in a pending role, and using th...