2989 matches found
CVE-2026-53871
Hermes WebUI prior to version 0.51.368 contains an authorization bypass in get_profile_cookie() that accepts unauthenticated profile names via the hermes_profile cookie. An authenticated attacker can forge the hermes_profile cookie to bypass profile-scoped authorization and access sessions, files...
Server-side Request Forgery (SSRF)
Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the validateurl process. An attacker can access internal network resources and sensitive information by supplying a URL that redirects to internal addresses, bypassing the...
Open WebUI: SSRF Protection Bypass in Playwright Web Loader via HTTP Redirects
Summary The SafePlaywrightURLLoader implements a validateurl function to prevent SSRF attacks by checking the IP address of the user-provided URL. However, this validation is performed only on the initial URL. Since Playwright automatically follows HTTP redirects 301/302 by default, an attacker c...
Open WebUI: Sibling-Prefix Path Traversal via /cache/{path}
Summary A path traversal vulnerability exists in open-webui's cache file serving endpoint that allows any authenticated user to read files from sibling directories outside the intended cache directory, by exploiting an incomplete startswith containment check that lacks a trailing path separator...
Protection Mechanism Failure
Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Protection Mechanism Failure via the profileimageurl field in the model metadata process. An attacker can execute arbitrary JavaScript in the context of another user's session by storing a crafted SVG payload...
Open WebUI: Stored XSS to Account Takeover via Model Profile Images
Stored XSS to Account Takeover via Model Profile Images in Open WebUI Affected: Open WebUI tags. On the output side, users.py added a MIME allowlist check and X-Content-Type-Options: nosniff. The fix was applied to UserUpdateForm, UpdateProfileForm, and later to ChannelWebhookForm. Three models...
Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion
Summary Open WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their model without checking whether they own or can read the referenced files. Open WebUI then treats meta.knowledge entries of type file as an authorization source in two...
Cross-site Scripting (XSS)
Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS in the Markdown file preview process when rendering Mermaid blocks with a permissive security configuration. An attacker can execute arbitrary JavaScript in the context of the victim'...
Open WebUI: Stored XSS in Mermaid Markdown Preview
Summary Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML. Because Mermaid is configured with securityLevel: 'loose', attacker-controlled Mermaid content can be rendered unsafely in this flow. A working paylo...
Open WebUI: Forged chat-file link allows cross-user file read and deletion
Summary Open WebUI v0.9.5 lets an authenticated user attach arbitrary fileid values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, hasaccesstofile treats the victim file as accessible...
Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url` (incomplete-fix sibling of CVE-2026-45401)
Summary backend/openwebui/utils/oauth.py::processpictureurl v0.9.5, lines 1435-1470 calls validateurlpictureurl on the initial URL only, then invokes aiohttp.ClientSession.getpictureurl, ... without allowredirects=False. aiohttp's default is allowredirects=True, maxredirects=10; the function does...
Origin Validation Error
Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Origin Validation Error through the postMessage process. An attacker can execute unauthorized actions and trigger backend API calls under the victim's authenticated session by sending crafted cross-origin...
PT-2026-50482
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description An authenticated user can attach arbitrary file id values to their own chat messages because the system fails to verify if the user owns or has read access to those files. By sharing the chat and...
PT-2026-50486
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description A path traversal issue exists in the cache file serving endpoint '/cache/path:path' that allows authenticated users with the role of user or admin to read files from sibling directories outside th...
PT-2026-50488
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description Open WebUI contains a Broken Object Level Authorization BOLA issue in the builtin search knowledge files function. BOLA occurs when an application does not properly verify if a user has permission...
CVE-2026-48155 vulnerabilities
Vulnerabilities for packages: open-webui...
CVE-2026-25087 vulnerabilities
Vulnerabilities for packages: open-webui...
GHSA-RGXP-2HWP-JWGG vulnerabilities
Vulnerabilities for packages: open-webui...
CVE-2026-48156 vulnerabilities
Vulnerabilities for packages: open-webui...
CVE-2026-49973
Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the setpassword parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable netwo...