CVE-2026-34358 CtrlPanel: Missing Authorization on Admin Write Endpoints Allows RBAC Bypass

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on the corresponding write methods, allowing any...

CVE-2026-34358 CtrlPanel: Missing Authorization on Admin Write Endpoints Allows RBAC Bypass

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on the corresponding write methods, allowing any...

CVE-2026-34358

CtrlPanel (open-source billing software) exposes a broken access control in versions 1.1.1 and earlier due to missing authorization on admin write endpoints. Several controllers (ApplicationApiController admin.api.write; CouponController admin.coupons.write; PartnerController admin.partners.write...

CVE-2026-45398

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, validatecollectionaccess checks the user-memory- and file- collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any...

CVE-2026-45398

Summary (concrete details from provided docs): Open WebUI before 0.9.5 exposes an IDOR vulnerability in the retrieval API where knowledge base collections (UUID-named) are not checked by _validate_collection_access. This allows any authenticated user who knows a private knowledge base UUID to rea...

GHSA-4G37-7P2C-38R9 Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls

IDOR: Retrieval API Bypasses Knowledge Base Access Controls Author: Andrew Orr Summary validatecollectionaccess PR 22109 checks the user-memory- and file- collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any authenticated user who...

Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls

IDOR: Retrieval API Bypasses Knowledge Base Access Controls Author: Andrew Orr Summary validatecollectionaccess PR 22109 checks the user-memory- and file- collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any authenticated user who...

CVE-2026-33286

Graphiti is a framework that sits on top of models and exposes them via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execution vulnerability that affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary...

Improper Control of Dynamically-Managed Code Resources

Overview graphiti is an Easily build jsonapi.org-compatible APIs Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources via the Graphiti::Util::ValidationResponseallvalid? method recursively calls model.sendname. An attacker can execute arbitrar...

CVE-2026-33286 Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names

Graphiti is a framework that sits on top of models and exposes them via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execution vulnerability that affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary...

CVE-2026-33286

Graphiti is a framework that sits on top of models and exposes them via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execution vulnerability that affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary...

CVE-2026-33286 Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names

Graphiti is a framework that sits on top of models and exposes them via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execution vulnerability that affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary...

Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names

Summary An arbitrary method execution vulnerability has been found which affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations...

GHSA-3M5V-4XP5-GJG2 Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names

Summary An arbitrary method execution vulnerability has been found which affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations...

PT-2026-26750

Name of the Vulnerable Software and Affected Versions Graphiti versions prior to 1.10.2 Description Graphiti is a framework that exposes models through a JSON:API-compliant interface. Versions prior to 1.10.2 contain a flaw where an attacker can construct a malicious JSONAPI payload with arbitrar...

Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names

Summary An arbitrary method execution vulnerability has been found which affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations...