4976 matches found
CVE-2026-45338
Open WebUI CVE-2026-45338 describes an SSRF in _process_picture_url() (oauth.py) where the server fetches URLs from OAuth picture claims without validate_url(), enabling requests to internal resources and exfiltration of the full response. Affected software before the fix: Open WebUI prior to ver...
CVE-2026-44569 Open WebUI: Insecure Message Access Breaks Authorization
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, there's an IDOR in the channels message management system that allows authenticated users to modify or delete any message within channels they have read access to. The vulnerability...
CVE-2026-45400
CVE-2026-45400 relates to Open WebUI SSRF bypass in validate_url caused by a mismatch between urlparse and requests hostname handling. Before version 0.9.5, URLs like http://127.0.0.1:[email protected] could pass validation because hostname parsing treated the public IP (1.1.1.1) as the target, while ...
hubzoid (>=0.2.2 <=0.6.0), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-45675 via open-webui (>=0.6.0 <=0.8.8)
open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-45675 Source advisory: OSV:GHSA-H3WW-Q6XX-W7X3...
openwebui-token-tracking (=0.1.7) potentially affected by CVE-2026-45672 via open-webui (=0.6.0)
open-webui PYPI version =0.6.0 is affected by a known vulnerability. The following packages have a transitive dependency on open-webui and may be impacted: - openwebui-token-tracking =0.1.7 Source cves: CVE-2026-45672 Source advisory: SNYK:PYTHON-OPENWEBUI-16725766...
hubzoid (>=0.2.2 <=0.6.0), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-45671 via open-webui (>=0.6.0 <=0.8.8)
open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-45671 Source advisory: OSV:GHSA-26G9-27VM-X3Q8...
hubzoid (>=0.2.2 <=0.6.0), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by unknown CVE via open-webui (>=0.6.0 <=0.8.8)
open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: unknown CVE Source advisory: SNYK:PYTHON-OPENWEBUI-16725481...
hubzoid (>=0.2.2 <=0.6.0), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-45401 via open-webui (>=0.6.0 <=0.8.8)
open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-45401 Source advisory: SNYK:PYTHON-OPENWEBUI-16735624...
hubzoid (>=0.2.2 <=0.6.0), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-45401 via open-webui (>=0.6.0 <=0.8.8)
open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-45401 Source advisory: OSV:GHSA-RH5X-H6PP-CJJ6...
hubzoid (>=0.2.2 <=0.6.0), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-45400 via open-webui (>=0.6.0 <=0.8.8)
open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-45400 Source advisory: SNYK:PYTHON-OPENWEBUI-16755281...
GHSA-8W7Q-Q5JP-JVGX Open WebUI has a Server-Side Request Forgery (SSRF) bypass in `validate_url`
Summary In the open-webui project, a parsing difference between the urlparse and requests libraries led to an SSRF bypass vulnerability. Details In the current project, URL validation is performed using the function validateurl. The current checking logic uses urlparse to parse the hostname part ...
hubzoid (>=0.2.2 <=0.6.0), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-45399 via open-webui (>=0.6.0 <=0.8.8)
open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-45399 Source advisory: OSV:GHSA-8JJP-R2W2-4V22...
hubzoid (>=0.2.2 <=0.6.0), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-45399 via open-webui (>=0.6.0 <=0.8.8)
open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-45399 Source advisory: SNYK:PYTHON-OPENWEBUI-16725768...
hubzoid (>=0.2.2 <=0.6.0), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-45397 via open-webui (>=0.6.0 <=0.8.8)
open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-45397 Source advisory: OSV:GHSA-65PG-QHHW-MXWG...
hubzoid (>=0.2.2 <=0.6.0), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-45396 via open-webui (>=0.6.0 <=0.8.8)
open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-45396 Source advisory: OSV:GHSA-RJMP-VJF2-QF4G...
hubzoid (>=0.2.2 <=0.6.0), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-45395 via open-webui (>=0.6.0 <=0.8.8)
open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-45395 Source advisory: SNYK:PYTHON-OPENWEBUI-16735131...
hubzoid (>=0.2.2 <=0.6.0), openwebui-token-tracking (>=0.1.8 <=0.1.10) +1 more potentially affected by CVE-2026-45387 via open-webui (=0.8.8)
open-webui PYPI version =0.8.8 is affected by a known vulnerability. The following packages have a transitive dependency on open-webui and may be impacted: - hubzoid =0.2.2, =0.1.8, =0.1.0, =0.1.5 Source cves: CVE-2026-45387 Source advisory: SNYK:PYTHON-OPENWEBUI-16755446...
hubzoid (>=0.2.2 <=0.6.0), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-45385 via open-webui (>=0.6.0 <=0.8.8)
open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-45385 Source advisory: SNYK:PYTHON-OPENWEBUI-16755173...
hubzoid (>=0.2.2 <=0.6.0), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-45385 via open-webui (>=0.6.0 <=0.8.8)
open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-45385 Source advisory: OSV:GHSA-WWHQ-CX22-F7VV...
hubzoid (>=0.2.2 <=0.6.0), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-45349 via open-webui (>=0.6.0 <=0.8.8)
open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-45349 Source advisory: OSV:GHSA-GFM2-XM6C-37QC...