15 matches found
CVE-2026-45339
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI allows admins to restrict which API endpoints an API key can access. When an API key is restricted from /api/v1/messages, requests using the Authorization: Bearer sk-...
CVE-2026-45339 Open WebUI: API key endpoint restrictions bypassed via `x-api-key` header — full message processing on restricted endpoints
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI allows admins to restrict which API endpoints an API key can access. When an API key is restricted from /api/v1/messages, requests using the Authorization: Bearer sk-...
CVE-2026-45339 Open WebUI: API key endpoint restrictions bypassed via `x-api-key` header — full message processing on restricted endpoints
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI allows admins to restrict which API endpoints an API key can access. When an API key is restricted from /api/v1/messages, requests using the Authorization: Bearer sk-...
GHSA-57Q6-FVP4-PQMM Open WebUI's API key endpoint restrictions bypassed via `x-api-key` header — full message processing on restricted endpoints
Summary Open WebUI allows admins to restrict which API endpoints an API key can access. When an API key is restricted from /api/v1/messages, requests using the Authorization: Bearer sk-... header are correctly blocked with 403. However, the same key sent via the x-api-key header bypasses the...
CVE-2026-40525
OpenViking prior to commit c7bb167 contains an authentication bypass in the VikingBot OpenAPI HTTP route surface. If api_key is unset or empty, authentication checks fail and remote attackers with network access can invoke privileged bot-control functionality without a valid X-API-Key header, inc...
CVE-2026-32913
OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept sensitive headers like X-Api-Key and Private-Token intend...
CVE-2026-32913
OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept sensitive headers like X-Api-Key and Private-Token intend...
EUVD-2017-0198
Malware in sbrugna...
CVE-2024-8954
In composiohq/composio version 0.5.10, the API does not validate the x-api-key header's value during the authentication step. This vulnerability allows an attacker to bypass authentication by providing any random value in the x-api-key header, thereby gaining unauthorized access to the server...
GHSA-959J-5G9V-3FPQ Paratrooper-newrelic Exposes of Sensitive Information to an Unauthorized Actor
The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process...
Paratrooper-newrelic Exposes of Sensitive Information to an Unauthorized Actor
The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process...
CVE-2014-1234
The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process...
Design/Logic Flaw
The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process...
CVE-2014-1234
The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process...
CVE-2014-1234
CVE-2014-1234 affects the paratrooper-newrelic gem (Ruby) v1.0.1. A local attacker can obtain the X-Api-Key by listing the curl process, due to leakage in the process tree. Impact is local exposure of the API key. Public patches or mitigations are not detailed in the provided documents; refer to ...