122 matches found
CVE-2024-6707
Open WebUI suffers a path traversal and arbitrarily uploaded file vulnerability in version 0.1.105. The flaw arises when uploading files through the HTTP interface (via the + sign in the message input) to a static UPLOAD_DIR; the filename is taken from the request without validation, enabling tra...
CVE-2024-12537
Summary: CVE-2024-12537 affects open-webui/open-webui v0.3.32, where unauthenticated access to /api/v1/utils/code/format can be abused by a high-volume POST to trigger unresponsiveness. Documented impact is denial of service / service degradation. A remediation is available: upgrade to open-webui...
CVE-2025-64496
CVE-2025-64496 Open WebUI : A code injection vulnerability in the Direct Connections feature (v0.6.224 and earlier) allows external model servers to push SSE events that execute arbitrary JavaScript in victim browsers, leading to token theft, account takeover, and potential backend RCE when combi...
CVE-2024-7048
Open-WebUI open-webui v0.3.8 contains an improper privilege management flaw in API endpoints GET /api/v1/documents/ and POST /rag/api/v1/doc, enabling a lower-privileged user to view and overwrite admin-owned files, risking integrity and availability of RAG models. Root cause: insufficient access...
CVE-2024-7037
Open WebUI project (open-webui) v0.3.8 has a path traversal/Arbitrary File Write and Delete vulnerability in the /api/pipelines/upload endpoint caused by unsanitized file.filename concatenation with CACHE_DIR. This allows an attacker to overwrite or delete system files and could lead to remote co...
CVE-2025-46719
Open WebUI vulnerability CVE-2025-46719 affects versions prior to 0.6.6. A flaw in rendering certain HTML tags in chat messages allows stored cross-site scripting (XSS) in chat transcripts, which are accessible by other users on the same server or via Open WebUI community sharing. In the user’s b...
CVE-2024-7045
In open-webui/open-webui v0.3.8, an improper access-control vulnerability allows attackers to read prompts via unauthenticated/admin verification by calling /api/v1/prompts/ to retrieve admin-created prompt data (including IDs) and then /api/v1/prompts/command/{command_id} for additional prompt i...
CVE-2024-8053
Open WebUI vulnerability CVE-2024-8053 affects open-webui/open-webui v0.3.10 where the api/v1/utils/pdf endpoint lacks authentication, allowing unauthenticated access to the PDF generation service. Exploitation can involve sending a POST with an excessively large payload, potentially exhausting s...
CVE-2024-7046
CVE-2024-7046 affects open-webui/open-webui v0.3.8. It is an improper access-control vulnerability that allows an attacker to view the first admin (owner) details by directly calling /api/v1/auths/admin/details without verifying admin privileges. The issue is demonstrated by public PoCs (e.g., a ...
CVE-2024-7990
CVE-2024-7990 is an XSS in open-webui/open-webui v0.3.8, tracked across NVD/Red Hat/Snyk/GHSA. The issue occurs in the /api/v1/models/add endpoint where the model description is not properly sanitized before rendering in chat, enabling an attacker to inject scripts that run in other users’ browse...
CVE-2024-7043
CVE-2024-7043 concerns open-webui/open-webui v0.3.8, where improper access control enables an attacker to enumerate and delete user-uploaded files via the API. The vulnerability arises because the system does not verify administrator privileges for GET /api/v1/files/ (listing files) and then enab...
CVE-2024-7035
The CVE-2024-7035 issue affects open-webui/open-webui (v0.3.8). The underlying problem is CSRF because sensitive actions (delete/reset) are invoked via GET requests. Affected endpoints include /rag/api/v1/reset, /rag/api/v1/reset/db, /api/v1/memories/reset, and /rag/api/v1/reset/uploads, impactin...
CVE-2024-7041
CVE-2024-7041 affects open-webui/open-webui v0.3.8, with an Insecure Direct Object Reference (IDOR) in the API endpoint /api/v1/memories/{id}/update. The flaw stems from inadequate access controls, allowing an attacker to edit other users’ memories without proper authorization. Public/connected s...
CVE-2024-7039
CVE-2024-7039 affects open-webui/open-webui v0.3.8. Affected component: API-based user management. Root cause: improper privilege management allows an admin to delete other administrators via the endpoint http://0.0.0.0:8080/api/v1/users/{uuid_administrator}, despite UI restrictions. Impact: elev...
CVE-2024-30256
CVE-2024-30256 affects Open WebUI prior to version 0.1.117. The vulnerability is an authenticated blind server-side request forgery (SSRF) in the backend, specifically in the function download_file_stream() inside Open WebUI’s backend/apps/web/routers/utils.py, exploitable via the url parameter. ...
CVE-2024-7959
The CVE-2024-7959 entry affects open-webui/open-webui v0.3.8, where the /openai/models endpoint is vulnerable to SSRF. An attacker can modify the OpenAI URL without validation, causing the endpoint to issue requests to arbitrary URLs and return the response, potentially exposing internal services...
CVE-2025-46571
CVE-2025-46571 affects Open WebUI prior to version 0.6.6. Low-privileged users could upload HTML files containing JavaScript via the backend endpoint /api/v1/files/, which returns a file id. An attacker could lure an admin to click a link to such a file, causing the JavaScript to execute in the a...
CVE-2024-6706
Open WebUI stores Cross-Site Scripting (XSS) vulnerability CVE-2024-6706 in version 0.1.105 on Debian 12. The issue arises when a malicious prompt coerces the language model into executing arbitrary JavaScript in the context of the web page. Connected advisories (KL-001-2024-005; GHSA-5JP3-WP5V-5...
CVE-2025-64495
Open WebUI (self-hosted offline AI platform) is affected by a Stored DOM XSS in RichTextInput when the “Insert Prompt as Rich Text” option is enabled. In versions 0.6.34 and earlier, the prompt body is parsed with marked.parse and then assigned to a temporary div’s innerHTML without sanitisation,...
CVE-2024-12534
The CVE-2024-12534 entry concerns open-webui/open-webui version 0.3.32, where the sign-in flow accepts excessively large values in the email and password fields due to missing character-length validation. This concrete root cause enables a Denial of Service (DoS) by exhausting server resources (C...
CVE-2024-7038
CVE-2024-7038 describes an information disclosure in open-webui v0.3.8 where the embedding model update feature under admin settings reveals different error messages based on file existence/configuration. This enables an attacker to enumerate file names and traverse directories, exposing sensitiv...
CVE-2026-45401
CVE-2026-45401 affects Open WebUI and describes an SSRF bypass: before version 0.9.5, the validate_url() check only validated the initial URL, while downstream HTTP clients (requests, aiohttp, LangChain WebBaseLoader) follow HTTP 3xx redirects by default and do not re-validate the redirected targ...
CVE-2024-7033
Open WebUI (open-webui/open-webui) version 0.3.8 contains an arbitrary file Write vulnerability in the download_model endpoint, exploitable on Windows due to improper file-path handling. An attacker can manipulate the target path to write files to arbitrary locations on the server filesystem, pot...
CVE-2024-7053
CVE-2024-7053 affects open-webui/open-webui version 0.3.8. A session-fixation vulnerability allows a user-level attacker to cause the administrator’s session cookie to be exfiltrated via a cross-origin request triggered by a malicious markdown image in chat. The cookies use SameSite=Lax and lack ...
CVE-2024-7806
CVE-2024-7806 affects open-webui/open-webui ≤ 0.3.8. A CSRF flaw (lax SameSite cookies, no CSRF tokens) enables remote code execution by non-admin users when a victim visits a crafted page, potentially modifying a pipeline’s Python code and running arbitrary commands with the victim’s privileges....
CVE-2024-7034
Open WebUI 0.3.8 is affected by a directory traversal vulnerability in the /models/upload endpoint due to unsafe handling of file.filename, allowing arbitrary file writes outside the UPLOAD_DIR and potentially overwriting system files. This can lead to unauthorized modifications and may enable re...
CVE-2024-7036
Affected software: open-webui/open-webui v0.3.8. Vulnerability: denial of service via an excessively long name field during signup, causing the Admin panel to become unresponsive. Impact: prevents admin user management actions (delete/edit/add users); can be exploited by unauthenticated users or ...
CVE-2025-29446
Open-webui v0.5.16 is affected by a Server-Side Request Forgery (SSRF) in routers/ollama.py verify_connection. Root cause is the verify_connection function allowing manipulation of backend requests. Impact is limited to SSRF with local attack vector per the CVSS data (low base score, local access...
CVE-2024-7040
CVE-2024-7040 affects open-webui/open-webui v0.3.8, where an improper access-control flaw on the frontend admin page lets an admin view chats of other admins by tampering the user_id parameter. Root cause: insufficient authorization checks on admin chats. Affected component is the admin chat view...
CVE-2024-7983
Open-WebUI 0.3.8 exposes an unauthenticated markdown-to-HTML endpoint (likely /api/v1/utils/markdown). A crafted payload can cause high CPU/time consumption, rendering the server unresponsive (DoS). Remediation: upgrade to open-webui version 0.5.13 or newer.
CVE-2024-7044
Open WebUI vulnerable to Stored XSS (CVE-2024-7044) in open-webui/open-webui v0.3.8 via chat file upload. An attacker can inject malicious content into a file that, when accessed by a victim (via URL or shared chat), executes JavaScript in the browser, enabling user data theft, session hijacking,...
CVE-2024-7049
Open-webui/open-webui is affected at version v0.3.8. The root issue is that a token is returned when a user with a pending role logs in, allowing actions without admin approval and bypassing the intended approval workflow. The CVE entry lists a moderate impact (CVSS ~5.4) with no explicit exploit...
CVE-2026-45672
Open WebUI CVE-2026-45672 affects the /api/v1/utils/code/execute endpoint, where arbitrary Python code can be executed via Jupyter for any verified user even when ENABLE_CODE_EXECUTION is false. The feature gate is not enforced at the API level, so code execution is possible despite the admin set...
CVE-2024-8017
CVE-2024-8017 is an XSS vulnerability in open-webui/open-webui versions
CVE-2026-45339
Open WebUI (self-hosted offline AI platform) has a vulnerability where endpoint access restrictions on API keys could be bypassed by using the x-api-key header, even when the key was restricted from sensitive endpoints like /api/v1/messages. Prior to version 0.9.0, requests with Authorization: Be...
CVE-2026-0766
Open WebUI contains a vulnerability in load_tool_module_by_id that allows remote code execution via command injection. The flaw comes from insufficient validation of a user-supplied string before it is used to execute Python code, enabling an attacker to run arbitrary code in the service account’...
CVE-2026-45398
Summary (concrete details from provided docs): Open WebUI before 0.9.5 exposes an IDOR vulnerability in the retrieval API where knowledge base collections (UUID-named) are not checked by _validate_collection_access. This allows any authenticated user who knows a private knowledge base UUID to rea...
CVE-2026-45675
Open WebUI CVE-2026-45675 describes a TOCTOU race in first-user admin role assignment for LDAP and OAuth paths prior to version 0.9.0. The signup path was fixed to insert with a default role first and upgrade if only one user remains; LDAP and OAuth paths did not receive that fix. Attack scenario...
CVE-2025-63391
Open-WebUI is affected up to version 0.6.32. The vulnerability is an authentication bypass at the /api/config endpoint, allowing unauthenticated remote attackers to access sensitive system configuration data due to missing authentication/authorization controls. Impact is indicated as high (CVSS v...
CVE-2026-44568
Summary: Open WebUI before v0.9.0 has a Stored XSS in the Pending User Overlay content. The vulnerability stems from rendering the admin-configured Pending User Overlay Content via marked.parse() inside {@html} with DOMPurify applied before markdown parsing, allowing an admin to inject JavaScript...
CVE-2026-45397
Open WebUI (self-hosted offline AI platform) is affected by CVE-2026-45397. The vulnerability is an information disclosure in the retrieval endpoint: GET /api/v1/retrieval/ can return live RAG configuration to unauthenticated clients. Affected component is backend/open_webui/routers/retrieval.py ...
CVE-2026-45665
Open WebUI contains a Stored XSS in the Banner component due to incorrect sanitization order (DOMPurify before marked.parse). The vulnerability allows a compromised administrator to store a payload in the global banner that is rendered for all users, including the Super Admin, enabling privilege ...
CVE-2026-44560
Open WebUI (self-hosted offline AI platform) contains a vector-search access control flaw in the RAG retrieval path. In get_sources_from_items, non-full-context file/text collection paths can query the vector store without authorization, enabling extraction of content from files and knowledge bas...
CVE-2026-45350
Open WebUI (self-hosted AI platform) has a vulnerability in the chat_completion API prior to version 0.8.6 where user-supplied tool_ids/tool_servers are used to build a tools_dict without permission checks. This allows invoking any server tool using the server’s credentials, bypassing tool restri...
CVE-2026-45386
Technical summary (CVE-2026-45386) Open WebUI’s pin_channel_message API endpoint exposes an IDOR vulnerability in standard channels. Prior to version 0.9.5, the endpoint checks only read permission for non-admin users, allowing read-only users to pin/unpin any message in channels where they have ...
CVE-2026-45387
Open WebUI vulnerability CVE-2026-45387 affects Open WebUI (self-hosted offline AI) prior to version 0.9.5, where granting a group read access to a model could let other users view the model’s system prompt. Root cause: read-permission exposure of confidential prompt data. Impact: potential leaka...
CVE-2026-44552
CVE-2026-44552 affects Open WebUI. Before 0.9.0, tool_servers and terminal_servers keys in Redis were unprefixed, so when multiple instances share a Redis backend they can collide, allowing an admin on one instance to poison another’s cache and have users interact with attacker-controlled tool co...
CVE-2026-44551
Open WebUI vulnerability CVE-2026-44551: before version 0.9.0, the LDAP authentication endpoint does not validate non-empty passwords, allowing an unauthenticated Simple Bind on many LDAP servers. The LdapForm model accepts password: str without a minimum length, so an empty string can reach the ...
CVE-2026-44563
Open WebUI/Open WebUI’s Ollama integration vulnerability (CVE-2026-44563) affects the /api/generate, /api/embed, /api/embeddings, and /api/show endpoints. These endpoints forward a user-supplied model name to the Ollama backend without enforcing AccessGrants.has_access(), effectively bypassing mo...
CVE-2026-45314
Open WebUI vulnerability CVE-2026-45314 describes a stored XSS in the profile image handling for webhooks. Before version 0.9.3, the channel webhook create/update flow accepts data URLs (data:image/svg+xml;base64,...) for profile_image_url. The API then serves the decoded SVG as image/svg+xml wit...