Lucene search
+L
OpenwebuiOpen Webui

137 matches found

cve
cve
added 2026/05/15 7:41 p.m.31 views

CVE-2026-44559

Summary (CVE-2026-44559) Open WebUI’s channel membership endpoint has an access control flaw on standard channels. Prior to version 0.9.0, GET /api/v1/channels/{id}/members only enforced membership checks for channel types ‘group’ and ‘dm’; standard (including private) channels did not perform ch...

4.3CVSS5.8AI score0.00221EPSS
Web
cve
cve
added 2026/05/15 7:18 p.m.31 views

CVE-2026-45399

Open WebUI CVE-2026-45399 describes a broken authorization gap in multi-user deployments: before release 0.9.0, authenticated, low-privilege users could enumerate and stop global background tasks via GET /api/tasks and POST /api/tasks/stop/{task_id}, impacting integrity and availability across us...

7.1CVSS5.8AI score0.0027EPSS
Web
cve
cve
added 2026/05/15 9:41 p.m.31 views

CVE-2026-45667

Open WebUI vulnerability CVE-2026-45667: Before version 0.8.0, the unauthenticated GET /api/v1/memories/ef could trigger EMBEDDING_FUNCTION(...) and cause embedding generation, potentially incurring costs if paid providers are used. The issue is rooted in exposing a cost/resource–intensive operat...

6.5CVSS5.8AI score0.00341EPSS
cve
cve
added 2025/12/04 12:0 a.m.30 views

CVE-2025-63681

Open-WebUI CVE-2025-63681 affects v0.6.33. The API endpoint /api/tasks/stop/ allows direct cancellation of tasks without verifying ownership, enabling a normal user to stop arbitrary LLM response tasks (Incorrect Access Control). Base score 4.3 (Medium); attack vector NETWORK, privileges required...

4.3CVSS6.7AI score0.00263EPSS
cve
cve
added 2026/05/15 9:23 p.m.30 views

CVE-2026-45350

Open WebUI (self-hosted AI platform) has a vulnerability in the chat_completion API prior to version 0.8.6 where user-supplied tool_ids/tool_servers are used to build a tools_dict without permission checks. This allows invoking any server tool using the server’s credentials, bypassing tool restri...

7.1CVSS5.8AI score0.0026EPSS
cve
cve
added 2026/06/23 4:38 p.m.30 views

CVE-2026-54022

Summary (grounded in provided sources): Open WebUI prior to version 0.8.11 has a logic bug in the ydoc:document:join handler: authorization is only enforced for document IDs starting with the prefix note:. The YdocManager stores documents using a normalized key where colons are replaced with unde...

5.3CVSS5.9AI score0.00268EPSS
cve
cve
added 2026/05/15 7:26 p.m.29 views

CVE-2026-44564

Open WebUI (self-hosted offline AI platform) contains a vulnerability in the ydoc:document:update Socket.IO handler that allows read-only users to modify in-memory Yjs documents. The handler validates room membership but does not verify write permission, and read-only users join the document room...

5.4CVSS5.8AI score0.0022EPSS
cve
cve
added 2026/05/15 8:29 p.m.29 views

CVE-2026-45385

Summary (grounded): Open WebUI (self-hosted offline AI) contains an IDOR vulnerability in the update_message_by_id API for channels of type group/dm. In these paths, the code only verifies that the caller is a channel member (is_user_channel_member) and does not confirm message ownership, enablin...

4.3CVSS5.8AI score0.00204EPSS
cve
cve
added 2026/05/15 7:48 p.m.28 views

CVE-2026-44555

Open WebUI (self-hosted AI platform) has a vulnerability where a model created with base_model_id can chain to a restricted base model without validating access to that base model. Before 0.9.0, during model creation, the system does not verify the creator’s permission on the referenced base mode...

7.6CVSS5.9AI score0.00248EPSS
cve
cve
added 2026/05/15 7:43 p.m.28 views

CVE-2026-44558

Open WebUI contains a vulnerability in the channel access grants path prior to version 0.9.0. The channel router does not call filter_allowed_access_grants on create or update, allowing a non-admin user who can create or own a group channel to submit arbitrary access grants (including public wild...

5.4CVSS5.9AI score0.0019EPSS
cve
cve
added 2026/05/15 9:3 p.m.28 views

CVE-2026-44569

Open WebUI CVE-2026-44569 describes an IDOR in the channel messages management system. Before version 0.6.19, authenticated users could modify or delete any message in channels they can read because message ownership validation was missing in the backend update/delete endpoints, even though the f...

7.1CVSS5.8AI score0.00266EPSS
cve
cve
added 2026/05/15 7:22 p.m.28 views

CVE-2026-45331

CVE-2026-45331 concerns Open WebUI’s validate_url() in backend/open_webui/retrieval/web/utils.py, where a call to validators.ipv6(ip, private=True) raises a ValidationError due to the library not implementing the private keyword for IPv6. This causes IPv6 addresses to bypass the intended filter, ...

8.5CVSS5.8AI score0.00286EPSS
cve
cve
added 2026/05/15 9:7 p.m.28 views

CVE-2026-45365

Open WebUI suffers a parameter binding flaw: an internal bypass_filter parameter was exposed in the HTTP handlers for /openai/chat/completions and /ollama/api/chat via FastAPI query binding. This allowed any authenticated user to append ?bypass_filter=true and skip the ACL check, enabling access ...

5.4CVSS5.8AI score0.00193EPSS
Web
cve
cve
added 2026/06/23 4:42 p.m.28 views

CVE-2026-54018

Open WebUI (self-hosted offline AI) contains SSRF protection bypass in the Playwright Web Loader prior to version 0.9.6. The validator checks only the initial URL; Playwright follows redirects (301/302) by default, allowing an attacker-supplied URL that redirects to internal addresses (e.g., loca...

7.7CVSS5.9AI score0.00287EPSS
cve
cve
added 2026/06/23 4:41 p.m.28 views

CVE-2026-54019

Open WebUI CVE-2026-54019 describes an ACL bypass in Milvus multitenancy mode. Before version 0.9.6, collection-level ACL checks exist but can be bypassed when an attacker supplies user-controlled, unknown collection names, which Milvus treats as a resource_id and interpolates into an unsafe expr...

6.5CVSS5.8AI score0.00281EPSS
cve
cve
added 2026/05/15 8:0 p.m.27 views

CVE-2026-44550

Open WebUI prior to 0.9.0 vulnerable to mass assignment via Pydantic extra='allow' in FolderForm. The server constructs a FolderModel by merging attacker-controlled extra fields (from form_data.model_dump(exclude_unset=True)) over a server-populated user_id, and because user_id is a real field, a...

5CVSS6AI score0.00287EPSS
cve
cve
added 2026/05/15 7:54 p.m.27 views

CVE-2026-44553

Open WebUI (self-hosted offline AI) has a Socket.IO session cache vulnerability where admin role changes or user deletions are not propagated to active sessions. Prior to version 0.9.0, a user whose admin role was revoked can retain admin privileges within their existing Socket.IO session as long...

8.1CVSS5.8AI score0.00284EPSS
cve
cve
added 2026/05/15 9:31 p.m.27 views

CVE-2026-45314

Open WebUI vulnerability CVE-2026-45314 describes a stored XSS in the profile image handling for webhooks. Before version 0.9.3, the channel webhook create/update flow accepts data URLs (data:image/svg+xml;base64,...) for profile_image_url. The API then serves the decoded SVG as image/svg+xml wit...

7.4CVSS6AI score0.00212EPSS
cve
cve
added 2026/06/23 4:50 p.m.27 views

CVE-2026-54008

Summary of CVE-2026-54008 (Open WebUI) : The vulnerable code path in backend/open_webui/utils/oauth.py::_process_picture_url validates only the initial picture_url and then fetches it with aiohttp (session.get) using default redirect-follow behavior. This enables an attacker with a valid OAuth Id...

8.5CVSS5.9AI score0.00203EPSS
Web
cve
cve
added 2026/05/15 7:46 p.m.26 views

CVE-2026-44556

Open WebUI vulnerability CVE-2026-44556 affects the /api/openai/responses endpoint, where the proxy forwards requests to upstream LLMs without enforcing per-model access control. Pre-0.9.0, any authenticated user could interact with any configured model by POSTing to /responses with an arbitrary ...

7.1CVSS6AI score0.00306EPSS
cve
cve
added 2026/05/15 7:34 p.m.26 views

CVE-2026-44561

CVE-2026-44561 affects Open WebUI. The vulnerability arises in the is_user_channel_member check: before 0.9.0, the code verifies ChannelMember existence but ignores is_active, so deactivated members (status 'left', is_active=False) retain full read/write access to group/DM channels via direct API...

5.4CVSS5.8AI score0.00178EPSS
cve
cve
added 2026/05/15 9:40 p.m.26 views

CVE-2026-44565

CVE-2026-44565 affects Open WebUI prior to 0.6.10. The upload API derives the target path from the original HTTP upload filename without validation, enabling dot-segment path traversal and arbitrary file writes to locations the web server user can access. This is fixed in 0.6.10. Mitigation guida...

8.1CVSS5.8AI score0.00454EPSS
cve
cve
added 2026/05/15 8:2 p.m.26 views

CVE-2026-44721

CVE-2026-44721 documents a stored XSS in Open WebUI prior to version 0.9.0. The vulnerability arises from a flawed sanitizeResponseContent path that escapes HTML but does not neutralize a markdown link with a javascript: URI rendered via {@html}, enabling an authenticated user with workspace.mode...

7.3CVSS7.4AI score0.00308EPSS
cve
cve
added 2026/05/15 9:29 p.m.26 views

CVE-2026-45317

CVE-2026-45317 describes an application-wide CSRF vector in Open WebUI’s image handling prior to 0.9.3. An authenticated user can influence image URL rendering so that viewing a compromised image causes the user’s browser to issue GET requests to an attacker-controlled URL, potentially leaking co...

4.6CVSS5.8AI score0.00165EPSS
cve
cve
added 2026/05/15 7:20 p.m.26 views

CVE-2026-45349

Open WebUI had a broken access control issue for the completions API ( /api/chat/completions ) allowing a user to continue another user’s conversation if they knew the other user’s Chat ID. This privacy/policy bypass could expose private conversations. The issue affects prior to version 0.9.0 and...

7.1CVSS5.8AI score0.00231EPSS
Web
cve
cve
added 2026/05/15 8:40 p.m.26 views

CVE-2026-45402

Open WebUI CVE-2026-45402 describes a cross-user file access/overwrite vulnerability in offline Open WebUI prior to 0.9.5. Two concrete paths allow attaching a victim’s file_id without verifying ownership: (1) folder knowledge ingestion via POST /api/v1/folders/{id}/update and (2) knowledge-base ...

8.1CVSS5.8AI score0.00346EPSS
Web
cve
cve
added 2026/06/23 4:51 p.m.26 views

CVE-2026-54007

CVE-2026-54007 describes a cross-origin postMessage bypass in Open WebUI prior to version 0.9.6. The root cause is a chat input/submit flow in the Chat.svelte window message listener that accepts non-same-origin messages (input:prompt and action:submit) and forwards them to submitPrompt(), enabli...

7.1CVSS5.8AI score0.00162EPSS
Web
cve
cve
added 2025/12/04 7:55 p.m.25 views

CVE-2025-65958

Open WebUI (self-hosted offline AI platform) is affected by a Server-Side Request Forgery (SSRF) in the /api/v1/retrieval/process/web endpoint. The vulnerability allows any authenticated user to force the server to fetch arbitrary URLs, enabling access to internal/cloud metadata endpoints (e.g., ...

8.5CVSS6.5AI score0.04117EPSS
cve
cve
added 2026/03/26 11:54 p.m.25 views

CVE-2026-29071

CVE-2026-29071 affects Open WebUI. Before v0.8.6, any authenticated user could read other users’ private memories via the vulnerable endpoint /api/v1/retrieval/query/collection, enabling exposure of documents, memories, and user metadata. The root cause is missing authorization in collection quer...

4.3CVSS5.8AI score0.00253EPSS
cve
cve
added 2026/05/15 7:30 p.m.25 views

CVE-2026-44562

Open WebUI vulnerability CVE-2026-44562 affects the model import flow. Before version 0.9.0, POST /api/v1/models/import allowed users with workspace.models_import to overwrite any existing model without ownership checks, merging the attacker payload into the target model when IDs match, and bypas...

6.5CVSS5.8AI score0.0029EPSS
cve
cve
added 2026/05/15 9:30 p.m.25 views

CVE-2026-45316

Summary (Open WebUI CVE-2026-45316): A permission check bug in the POST /api/v1/notes/{id}/pin endpoint allows read-only users to toggle a note’s is_pinned state because it checks read permission instead of write. The issue occurs in Open WebUI prior to 0.9.3 and is fixed in 0.9.3. The vulnerabil...

3.5CVSS5.8AI score0.00218EPSS
Web
cve
cve
added 2026/05/15 8:40 p.m.25 views

CVE-2026-45400

CVE-2026-45400 relates to Open WebUI SSRF bypass in validate_url caused by a mismatch between urlparse and requests hostname handling. Before version 0.9.5, URLs like http://127.0.0.1:[email protected] could pass validation because hostname parsing treated the public IP (1.1.1.1) as the target, while ...

8.5CVSS5.8AI score0.00292EPSS
cve
cve
added 2026/06/23 4:46 p.m.25 views

CVE-2026-54013

CVE-2026-54013 describes a stored XSS in Open WebUI where the model profile image URL could be a data:image/svg+xml;base64 payload. The root cause is missing input validation on ModelMeta.profile_image_url and missing output protections in the model image endpoint (no MIME allowlist, no nosniff, ...

7.6CVSS5.8AI score0.00174EPSS
cve
cve
added 2026/01/23 3:28 a.m.24 views

CVE-2026-0765

CVE-2026-0765 affects Open WebUI via the Python package Open WebUI/PIP install_frontmatter_requirements, where lack of validation of a user-supplied string before a system call enables a remote code execution in the service account context. Attacker authentication is required to exploit. Multiple...

8.8CVSS6.5AI score0.01685EPSS
cve
cve
added 2026/05/15 9:45 p.m.24 views

CVE-2026-44549

CVE-2026-44549 details (Open WebUI) : Open WebUI before 0.8.0 previews Excel attachments unsafely. The XLSX payload can trigger sheet_to_html to embed an XSS payload, which is then inserted into the DOM via @html without sanitization, enabling stored XSS. The issue is resolved in version 0.8.0. R...

8.7CVSS5.8AI score0.00318EPSS
cve
cve
added 2026/05/15 9:24 p.m.24 views

CVE-2026-44571

CVE-2026-44571 concerns the Open WebUI platform. In standard channels, the endpoint POST /api/v1/channels/{channel_id}/messages/{message_id}/update could be invoked with only read permission if access_control is None, allowing unauthorized users to modify other users’ messages. The issue is fixed...

6.5CVSS5.8AI score0.00277EPSS
Web
cve
cve
added 2026/05/15 9:44 p.m.24 views

CVE-2026-45299

Open WebUI had a stored XSS vulnerability in the profile_image_url field on the user profile update form prior to version 0.8.0, due to lack of MIME-type validation for data URIs. Two attack paths were demonstrated: (1) data:text/html;base64… opened in a new tab, and (2) data:image/svg+xml;base64...

5.4CVSS5.9AI score0.00199EPSS
cve
cve
added 2026/05/15 9:46 p.m.24 views

CVE-2026-45338

Open WebUI CVE-2026-45338 describes an SSRF in _process_picture_url() (oauth.py) where the server fetches URLs from OAuth picture claims without validate_url(), enabling requests to internal resources and exfiltration of the full response. Affected software before the fix: Open WebUI prior to ver...

7.7CVSS6AI score0.00381EPSS
Web
cve
cve
added 2026/05/15 9:17 p.m.24 views

CVE-2026-45345

Open WebUI (self-hosted AI platform) has a vulnerability in the model update function prior to version 0.5.7 where an attacker could modify another user’s private model by changing access permissions during editing. The issue is confirmed in multiple sources (CVE-2026-45345, GHSA-gm54-m39w-grjp, ...

6.5CVSS5.8AI score0.00226EPSS
cve
cve
added 2026/05/15 9:9 p.m.24 views

CVE-2026-45351

Open WebUI vulnerability CVE-2026-45351: A non-admin user could trigger a request to /api/models? and receive the system prompt of available models, revealing admin-set backend prompts and compromising confidentiality. This affects Open WebUI self-hosted offline AI platform versions prior to 0.8....

6.5CVSS5.8AI score0.00281EPSS
Web
cve
cve
added 2026/05/15 9:7 p.m.24 views

CVE-2026-45666

CVE-2026-45666 — Open WebUI IDOR in notes endpoint : The API /api/v1/notes/{note_id} allowed authenticated users to read other users’ notes by guessing UUIDs prior to version 0.8.11, enabling unauthorized data disclosure. The issue is fixed in 0.8.11; per-id endpoints now enforce ownership (admin...

6.5CVSS5.8AI score0.00277EPSS
Web
cve
cve
added 2026/05/15 7:13 p.m.24 views

CVE-2026-45671

Open WebUI vulnerability CVE-2026-45671 affects the shared-chat branch in the file authorization path. The has_access_to_file() gate unconditionally returns True for shared-chat references, ignoring the requesting user identity and the operation type. This allows any authenticated user to delete ...

8CVSS5.8AI score0.0027EPSS
Web
cve
cve
added 2026/06/23 4:43 p.m.24 views

CVE-2026-54016

CVE-2026-54016 : Open WebUI (self-hosted offline AI platform) suffers a Broken Object Level Authorization in the builtin search_knowledge_files tool. When native function calling is enabled and a model has no attached knowledge bases, an authenticated user can supply an arbitrary knowledge_id and...

4.3CVSS6AI score0.00226EPSS
cve
cve
added 2026/06/23 4:39 p.m.24 views

CVE-2026-54021

Summary: Open WebUI prior to 0.9.6 allows any authenticated user to direct requests to arbitrary Ollama backends by appending a caller-supplied url_idx, bypassing backend-level isolation and possibly reaching restricted or disabled backends. The issue arises on index-addressed Ollama proxy routes...

6.3CVSS6AI score0.0021EPSS
cve
cve
added 2026/04/14 1:39 a.m.23 views

CVE-2026-34225

Open WebUI vulnerability CVE-2026-34225 affects the Open WebUI self-hosted AI platform (offline). Versions ≤ 0.7.2 expose a Blind Server Side Request Forgery in the image-edit workflow: a GET request to a user-supplied URL with no domain restrictions, enabling access to the local address space. B...

4.3CVSS5.7AI score0.00227EPSS
cve
cve
added 2026/05/15 9:1 p.m.23 views

CVE-2026-44566

Open WebUI prior to version 0.1.124 is affected by an arbitrary file upload and path traversal vulnerability. The issue occurs in the /rag/api/v1/doc upload endpoint, where the uploaded file’s name is derived from the HTTP request and is not validated or sanitized, allowing dot-segments in the fi...

9.8CVSS5.8AI score0.00336EPSS
cve
cve
added 2026/05/15 9:19 p.m.23 views

CVE-2026-45301

Open WebUI (self-hosted AI platform) is affected by CVE-2026-45301 due to a missing permission check in all files-related API endpoints. Before version 0.3.16, any authenticated user could list, access, and delete files uploaded by any user via the /api/v1/files endpoints, exposing confidential d...

8.1CVSS5.8AI score0.00273EPSS
cve
cve
added 2026/05/15 7:44 p.m.22 views

CVE-2026-44557

Open WebUI before v0.9.0 is vulnerable to global knowledge-base enumeration through the retrieval query endpoints. The _validate_collection_access function uses an incomplete allowlist that only enforces ownership for collections starting with user-memory- or file-, allowing any authenticated use...

4.3CVSS5.8AI score0.00221EPSS
cve
cve
added 2026/05/15 9:5 p.m.22 views

CVE-2026-44570

CVE-2026-44570 affects Open WebUI prior to version 0.6.19, where authorization controls around the memories API were inconsistent. A non-admin user could query, view, delete, or attempt to modify another user’s memories via endpoints such as POST /api/v1/memories/query, POST /api/v1/memories/{mem...

8.3CVSS5.8AI score0.00294EPSS
Web
cve
cve
added 2026/05/15 9:21 p.m.22 views

CVE-2026-45303

Open WebUI vulnerability CVE-2026-45303: Stored XSS via the HTML rendering view affects Open WebUI prior to 0.6.5. The frontend renders chat HTML inside an iframe with sandbox=

7.7CVSS5.9AI score0.00217EPSS
Total number of security vulnerabilities137