7035 matches found
Open WebUI's Improper Authorization in Standard Channels Allows Message Updates with Read Permission
Vulnerability DescriptionIn standard channels i.e., channels whose channel.type is neither group nor dm, the endpointPOST /api/v1/channels/channelid/messages/messageid/update can be accessed with read permission only.When accesscontrol is set to None, the authorization check hasaccess...,...
Open WebUI has inconsistent authorization controls within memories API
SummaryAuthorization controls surrounding the memories API were inconsistent, resulting in the ability of a standard user to delete, restore, and view the contents of other users' memories. DetailsUsing a newly created non-admin user with no existing memories, it is possible to view existing...
PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute
Summarypraisonaiagents resolves unresolved tool names against module globals and main after it fails to match the declared tool list and the registry. With the default agent configuration, permallow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An attack...
PraisonAI knowledge-store backends interpolate unvalidated collection names into SQL and CQL queries
SummaryPraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection. DetailsThis issue affects...
PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute
Summarypraisonaiagents resolves unresolved tool names against module globals and main after it fails to match the declared tool list and the registry. With the default agent configuration, permallow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An attack...
Open WebUI's Insecure Message Access Breaks Authorization
DescriptionThere's an IDOR in the channels message management system that allows authenticated users to modify or delete any message within channels they have read access to. The vulnerability exists in the message update and delete endpoints, which implement channel-level authorization but...
PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`
SummaryThe safeextractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does not validate member.linkname, does not reject symlink/hardlink members, and calls...
PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution
SummaryPraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. DetailsThe vulnerable server is the shipped...
Open WebUI Missing Access Check on Channel Members Endpoint for Standard Channels
Missing Access Check on Channel Members Endpoint for Standard Channels Affected ComponentChannel members listing endpoint:- backend/openwebui/routers/channels.py lines 445-507, getchannelmembersbyid Affected VersionsCurrent main branch and likely all versions with the channels feature...
Open WebUI has Unauthorized File and Knowledge Base Content Access via RAG Vector Search
Unauthorized File and Knowledge Base Content Access via RAG Vector Search Affected ComponentRAG source resolution in chat completion pipeline:- backend/openwebui/retrieval/utils.py lines 963-965, 1063-1068, 1126-1131 in getsourcesfromitems Affected VersionsCurrent main branch commit 6fdd19bf1 and...
Read-Only Open WebUI Users Can Modify Collaborative Documents via Socket.IO
Read-Only Users Can Modify Collaborative Documents via Socket.IO Affected ComponentSocket.IO collaborative document editing handler:- backend/openwebui/socket/main.py lines 667-721, ydoc:document:update handler Affected VersionsCurrent main branch and likely all versions with collaborative note...
Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order
Vulnerability DetailsCWE-79: Cross-site Scripting XSSThe AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse inside @html with an incorrect DOMPurify application order: Vulnerable Codesrc/lib/components/layout/Overlay/AccountPending.svelt...
Open WebUI has stored XSS in Excel file preview
SummaryExcel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheettohtml to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via @html causing the payload to trigger. DetailsThe...
Open WebUI's Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show
Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show Affected ComponentOllama proxy endpoints missing model access control:- backend/openwebui/routers/ollama.py lines 955-995, generatecompletion- backend/openwebui/routers/ollama.py lines 835-881, embed-...
Open WebUI's Model Import Overwrites Any Model Without Ownership Check
Model Import Overwrites Any Model Without Ownership Check Affected ComponentModel import endpoint:- backend/openwebui/routers/models.py lines 254-308, importmodels Affected VersionsCurrent main branch commit 6fdd19bf1 and likely all versions with model import functionality. DescriptionThe POST...
Open WebUI has Improper Authorization Control
CONFIDENTIAL Vulnerability Disclosure Analysis Documentation--- Vulnerability Details| | Field | Value ||---|-------|-------|| 1 | Discoverer | Taylor Pennington of KoreLogic, Inc. || 2 | Date Submitted | June 11, 2024 || 3 | Title | Open WebUI Improper Authorization Control || 5 | Affected Vendo...
Open WebUI Vulnerable to Arbitrary File Upload and Path Traversal
CONFIDENTIAL KL-CAN-2024-002 Vulnerability Details| | Field | Value ||---|-------|-------|| 1 | Discoverer | Jaggar Henry & Sean Segreti of KoreLogic, Inc. || 2 | Date Submitted | 2024.03.12 || 3 | Title | Open WebUI Arbitrary File Upload + Path Traversal || 5 | Affected Vendor | Open WebUI || 6 ...
Open WebUI's Channel Access Grants Bypass filter_allowed_access_grants
Channel Access Grants Bypass filterallowedaccessgrants Affected ComponentChannel creation and update endpoints:- backend/openwebui/routers/channels.py lines 291-340, createnewchannel- backend/openwebui/routers/channels.py lines 617-638, updatechannelbyid- backend/openwebui/models/channels.py line...
Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels
Deactivated Channel Members Retain Full Access to Group/DM Channels Affected ComponentChannel membership authorization check:- backend/openwebui/models/channels.py lines 663-673, isuserchannelmember- Used at 15 locations in backend/openwebui/routers/channels.py Affected VersionsCurrent main branc...
Open WebUI has Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite
Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite Affected ComponentRetrieval web/YouTube processing endpoints:- backend/openwebui/routers/retrieval.py lines 1810-1837, processweb- backend/openwebui/routers/retrieval.py the parallel processyoutube endpoint-...
Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection
Global Knowledge Base Enumeration via knowledge-bases Meta-Collection Affected ComponentRetrieval collection access validation:- backend/openwebui/routers/retrieval.py lines 2330-2355, validatecollectionaccess- backend/openwebui/routers/retrieval.py query endpoints, e.g. POST /query/doc Affected...
banks has Critical Remote Code Execution (RCE) via Jinja2 SSTI
Summarybanks = 2.4.1 uses jinja2.Environment unsandboxed to render prompt templates. Applications that pass user-supplied strings as the template argument to Prompt are vulnerable to Server-Side Template Injection SSTI, which can lead to Remote Code Execution RCE on the host system.This is a...
Open WebUI's Base Model Routing Bypasses Access Control via Model Chaining
Base Model Routing Bypasses Access Control via Model Chaining Affected ComponentModel chaining via basemodelid:- backend/openwebui/routers/models.py lines 170-214, createnewmodel- backend/openwebui/routers/models.py lines 254-308, importmodels- backend/openwebui/main.py lines 1696-1711, base mode...
Microsoft APM CLI's plugin.json component paths escape plugin root and copy arbitrary host files during install
SummaryMicrosoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but the implementation does not enforce that those paths remain inside the plugin directory. A...
open-webui Vulnerable to Stored XSS via Model Description
!IMPORTANT Relationship to CVE-2024-7990 CVE-2024-7990 issued by huntr.dev, March 2025 describes a stored XSS in the same field — the model description — but exploits a different bypass mechanism: a second-order injection through the sanitizeResponseContent function's video-tag placeholder...
OpenStack Cyborg's Accelerator Request (ARQ) API does not enforce project ownership at any layer
In OpenStack Cyborg before 16.0.1, the Accelerator Request ARQ API does not enforce project ownership at any layer. The projectid column in the database is never populated NULL for every ARQ, database queries have no project filtering, and policy checks are self-referential the authorizewsgi...
Open WebUI's Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts
Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts Affected ComponentFolder creation endpoint and form model:- backend/openwebui/models/folders.py lines 72-77, FolderForm with extra='allow'- backend/openwebui/models/folders.py lines 95-106, insertnewfolder...
Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning
Redis Cache Keys toolservers and terminalservers Missing Instance Prefix Enable Cross-Instance Cache Poisoning Affected ComponentTool server and terminal server Redis cache:- backend/openwebui/utils/tools.py line 841, toolservers SET- backend/openwebui/utils/tools.py line 850, toolservers GET-...
utcp-http vulnerable to SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol
SummaryThe utcp-http plugin is vulnerable to a blind Server-Side Request Forgery SSRF caused by a trust-boundary inconsistency between manual discovery and tool invocation. registermanual validates the discovery URL against an HTTPS / loopback allowlist, but calltool and calltoolstreaming reuse t...
Open WebUI's responses passthrough endpoint lacks access control authorization
SummaryThe /responses endpoint in the OpenAI router accepts any authenticated user and forwards requests directly to upstream LLM providers without enforcing per-model access control. While the primary chat completion endpoint generatechatcompletion checks model ownership, group membership, and...
OpenStack Cyborg uses rule:allow (check_str='@') as the default policy for multiple API endpoints
OpenStack Cyborg before 16.0.1 uses rule:allow checkstr='@' as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complet...
Bunsink has an SSRF bypass in `validate_webhook_url`
SummaryBugsink’s webhook URL validation in versions 2.1.2 and earlier could be partially bypassed because of a mismatch in URL parsing.In some malformed URLs, Python’s standard URL parser urllib and the HTTP client stack requests / urllib3 do not agree on which host is actually being targeted. Th...
Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access
Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access Affected ComponentSocket.IO session state and role-check callsites:- backend/openwebui/socket/main.py lines 330-351, connect handler — role snapshotted into SESSIONPOOL- backend/openwebui/socket/main.py lines...
Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect
SummaryThe RedirectHandler middleware in microsoft/kiota-java com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0 and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. This vulnerability is present in the RedirectHandlers...
BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context
SummaryBentoML's bentoml build packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento artifact.If a victim builds an untrusted repository or other attacker-supplied build context, the attacker can place a...
Aegra has cross-user run injection in /threads/{thread_id}/runs (IDOR)
ImpactAegra deployments running 0.9.0 through 0.9.6 with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated user User A, given another user's threadid User B, can:- Execute graph runs against User B's thread via POST /threads/threadid/runs,...
PraisonAI has unauthenticated RCE via `tool_override.py` (CVE-2026-40287 patch bypass)
TL;DRCVE-2026-40287's fix gated tools.py auto-import behind PRAISONAIALLOWLOCALTOOLS=true in two files toolresolver.py, api/call.py. A third import sink in praisonai/templates/tooloverride.py was missed and remains unguarded. It is reached by the recipe runner on every recipe execution and is...
Postorius is vulnerable to XSS
Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026...
misp-modules has nsafe remote resource fetching in expansion
An unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The htmltomarkdown module accepted arbitrary HTTPS URLs without sufficient validation, which could allow Server-Side Request Forgery against loopback, private, or link-local network resources. Additionally...
PraisonAI has an SSRF bypass
SummaryThe URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. DetailsThe current PraisonAI project uses validateurl to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by...
docling-graph has SSRF via Missing Internal IP Validation in URLInputHandler
ImpactThe URLInputHandler class in doclinggraph/core/input/handlers.py makes HTTP requests to user-supplied URLs without validating whether the target resolves to a private, loopback, or link-local IP address. The URLValidator only checks for a valid scheme and non-empty netloc, performing no...
pyquorum: Timing side‑channel in mul_mod
ImpactThe mulmod function implements multiplication via a binary expansion loop whose execution time depends on the Hamming weight of the second operand the exponent. An attacker who can measure the time of secret‑sharing operations e.g., via a remote service could progressively recover the value...
JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content
JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with ...
python-multipart has Denial of Service via unbounded multipart part headers
Summarypython-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many...
Lemur: LDAP Authentication Globally Disables TLS Certificate Verification When LDAP_USE_TLS Is Enabled
Description OverviewWhen LDAP TLS is enabled LDAPUSETLS = True, Lemur's LDAP authentication module unconditionally disables TLS certificate verification at the global ldap module level. This allows a man-in-the-middle attacker positioned between Lemur and the LDAP server to intercept all...
Magic Wormhole: receive, with --output pointing at an existing directory can be path-traversed
ImpactA receiver who specifies "--output " where that output directory currently exists as a directory. Patches0.24.0 will contain the patch WorkaroundsEnsure local target directories specified by "--output" do not already exist ResourcesPrivate email and Signal communications from a user.Magic...
Lemur: LDAP Filter Injection enables post-authentication privilege escalation
Description OverviewLemur's LDAP authentication module lemur/auth/ldap.py constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter metacharacters through the username field to manipulate group membership queries...
Granian vulnerable to DoS via WSGI response header panic
SummaryGranian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses .unwrap on both the header name and header value constructors, so malformed output from the application becomes a process abort instead of a...
Granian vulnerable to unauthenticated DoS via WebSocket subprotocol header panic
SummaryGranian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes.The crash happens in Granian's WebSocket scope construction path, before the ASGI application is invoked.This is a single-request...
JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content
JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with ...