Lucene search
K

89 matches found

CVE
CVE
added 2025/11/08 1:29 a.m.93 views

CVE-2025-64496

CVE-2025-64496 Open WebUI : A code injection vulnerability in the Direct Connections feature (v0.6.224 and earlier) allows external model servers to push SSE events that execute arbitrary JavaScript in victim browsers, leading to token theft, account takeover, and potential backend RCE when combi...

8CVSS8.5AI score0.07767EPSS
CVE
CVE
added 2025/05/05 6:50 p.m.90 views

CVE-2025-46719

Open WebUI vulnerability CVE-2025-46719 affects versions prior to 0.6.6. A flaw in rendering certain HTML tags in chat messages allows stored cross-site scripting (XSS) in chat transcripts, which are accessible by other users on the same server or via Open WebUI community sharing. In the user’s b...

6.4CVSS6.5AI score0.00431EPSS
Web
CVE
CVE
added 2025/05/05 6:45 p.m.68 views

CVE-2025-46571

CVE-2025-46571 affects Open WebUI prior to version 0.6.6. Low-privileged users could upload HTML files containing JavaScript via the backend endpoint /api/v1/files/, which returns a file id. An attacker could lure an admin to click a link to such a file, causing the JavaScript to execute in the a...

6.3CVSS6.4AI score0.00288EPSS
Web
CVE
CVE
added 2024/04/16 2:24 p.m.65 views

CVE-2024-30256

CVE-2024-30256 affects Open WebUI prior to version 0.1.117. The vulnerability is an authenticated blind server-side request forgery (SSRF) in the backend, specifically in the function download_file_stream() inside Open WebUI’s backend/apps/web/routers/utils.py, exploitable via the url parameter. ...

6.4CVSS6.5AI score0.00412EPSS
CVE
CVE
added 2025/11/08 1:25 a.m.62 views

CVE-2025-64495

Open WebUI (self-hosted offline AI platform) is affected by a Stored DOM XSS in RichTextInput when the “Insert Prompt as Rich Text” option is enabled. In versions 0.6.34 and earlier, the prompt body is parsed with marked.parse and then assigned to a temporary div’s innerHTML without sanitisation,...

8.7CVSS5.8AI score0.0046EPSS
Web
CVE
CVE
added 2026/05/15 8:37 p.m.56 views

CVE-2026-45401

CVE-2026-45401 affects Open WebUI and describes an SSRF bypass: before version 0.9.5, the validate_url() check only validated the initial URL, while downstream HTTP clients (requests, aiohttp, LangChain WebBaseLoader) follow HTTP 3xx redirects by default and do not re-validate the redirected targ...

8.5CVSS5.8AI score0.003EPSS
Web
CVE
CVE
added 2026/05/15 8:55 p.m.44 views

CVE-2026-45672

Open WebUI CVE-2026-45672 affects the /api/v1/utils/code/execute endpoint, where arbitrary Python code can be executed via Jupyter for any verified user even when ENABLE_CODE_EXECUTION is false. The feature gate is not enforced at the API level, so code execution is possible despite the admin set...

8.8CVSS6AI score0.00406EPSS
Web
CVE
CVE
added 2026/05/15 7:40 p.m.42 views

CVE-2026-44560

Open WebUI (self-hosted offline AI platform) contains a vector-search access control flaw in the RAG retrieval path. In get_sources_from_items, non-full-context file/text collection paths can query the vector store without authorization, enabling extraction of content from files and knowledge bas...

6.5CVSS5.8AI score0.00366EPSS
CVE
CVE
added 2026/05/15 8:35 p.m.42 views

CVE-2026-45398

Summary (concrete details from provided docs): Open WebUI before 0.9.5 exposes an IDOR vulnerability in the retrieval API where knowledge base collections (UUID-named) are not checked by _validate_collection_access. This allows any authenticated user who knows a private knowledge base UUID to rea...

7.5CVSS5.8AI score0.00331EPSS
Web
CVE
CVE
added 2026/05/15 7:12 p.m.40 views

CVE-2026-45675

Open WebUI CVE-2026-45675 describes a TOCTOU race in first-user admin role assignment for LDAP and OAuth paths prior to version 0.9.0. The signup path was fixed to insert with a default role first and upgrade if only one user remains; LDAP and OAuth paths did not receive that fix. Attack scenario...

8.1CVSS5.3AI score0.00354EPSS
CVE
CVE
added 2026/05/15 7:21 p.m.37 views

CVE-2026-45339

Open WebUI (self-hosted offline AI platform) has a vulnerability where endpoint access restrictions on API keys could be bypassed by using the x-api-key header, even when the key was restricted from sensitive endpoints like /api/v1/messages. Prior to version 0.9.0, requests with Authorization: Be...

6.5CVSS5.8AI score0.00309EPSS
Web
CVE
CVE
added 2026/05/15 8:36 p.m.36 views

CVE-2026-45386

Technical summary (CVE-2026-45386) Open WebUI’s pin_channel_message API endpoint exposes an IDOR vulnerability in standard channels. Prior to version 0.9.5, the endpoint checks only read permission for non-admin users, allowing read-only users to pin/unpin any message in channels where they have ...

4.3CVSS5.8AI score0.00204EPSS
CVE
CVE
added 2026/05/15 8:34 p.m.34 views

CVE-2026-45397

Open WebUI (self-hosted offline AI platform) is affected by CVE-2026-45397. The vulnerability is an information disclosure in the retrieval endpoint: GET /api/v1/retrieval/ can return live RAG configuration to unauthenticated clients. Affected component is backend/open_webui/routers/retrieval.py ...

5.3CVSS5.8AI score0.0072EPSS
CVE
CVE
added 2026/05/15 7:49 p.m.33 views

CVE-2026-44554

Open WebUI (self-hosted AI) vulnerability: the POST /api/v1/retrieval/process/web endpoint accepts a user-controlled collection_name with overwrite defaulting to True, and performs no authorization check to verify write access. When overwrite is True, save_docs_to_vector_db calls VECTOR_DB_CLIENT...

8.1CVSS5.8AI score0.00295EPSS
Web
CVE
CVE
added 2026/05/15 7:24 p.m.33 views

CVE-2026-44568

Summary: Open WebUI before v0.9.0 has a Stored XSS in the Pending User Overlay content. The vulnerability stems from rendering the admin-configured Pending User Overlay Content via marked.parse() inside {@html} with DOMPurify applied before markdown parsing, allowing an admin to inject JavaScript...

4.8CVSS5.9AI score0.0017EPSS
CVE
CVE
added 2026/05/15 7:57 p.m.32 views

CVE-2026-44552

CVE-2026-44552 affects Open WebUI. Before 0.9.0, tool_servers and terminal_servers keys in Redis were unprefixed, so when multiple instances share a Redis backend they can collide, allowing an admin on one instance to poison another’s cache and have users interact with attacker-controlled tool co...

8.7CVSS5.8AI score0.00305EPSS
CVE
CVE
added 2026/05/15 8:32 p.m.32 views

CVE-2026-45387

Open WebUI vulnerability CVE-2026-45387 affects Open WebUI (self-hosted offline AI) prior to version 0.9.5, where granting a group read access to a model could let other users view the model’s system prompt. Root cause: read-permission exposure of confidential prompt data. Impact: potential leaka...

4.3CVSS5.8AI score0.0022EPSS
CVE
CVE
added 2026/05/15 7:28 p.m.31 views

CVE-2026-44563

Open WebUI/Open WebUI’s Ollama integration vulnerability (CVE-2026-44563) affects the /api/generate, /api/embed, /api/embeddings, and /api/show endpoints. These endpoints forward a user-supplied model name to the Ollama backend without enforcing AccessGrants.has_access(), effectively bypassing mo...

5.4CVSS5.8AI score0.00238EPSS
Web
CVE
CVE
added 2026/05/15 9:42 p.m.31 views

CVE-2026-45665

Open WebUI contains a Stored XSS in the Banner component due to incorrect sanitization order (DOMPurify before marked.parse). The vulnerability allows a compromised administrator to store a payload in the global banner that is rendered for all users, including the Super Admin, enabling privilege ...

8.1CVSS5.8AI score0.00322EPSS
CVE
CVE
added 2026/05/15 9:23 p.m.30 views

CVE-2026-45350

Open WebUI (self-hosted AI platform) has a vulnerability in the chat_completion API prior to version 0.8.6 where user-supplied tool_ids/tool_servers are used to build a tools_dict without permission checks. This allows invoking any server tool using the server’s credentials, bypassing tool restri...

7.1CVSS5.8AI score0.0026EPSS
CVE
CVE
added 2026/05/15 7:59 p.m.29 views

CVE-2026-44551

Open WebUI vulnerability CVE-2026-44551: before version 0.9.0, the LDAP authentication endpoint does not validate non-empty passwords, allowing an unauthenticated Simple Bind on many LDAP servers. The LdapForm model accepts password: str without a minimum length, so an empty string can reach the ...

9.1CVSS5.8AI score0.01461EPSS
CVE
CVE
added 2026/06/18 9:9 p.m.28 views

CVE-2026-54017

Open WebUI vulnerability CVE-2026-54017 affects the terminal-server proxy in backend/open_webui/routers/terminals.py before version 0.9.6. An authenticated non-admin user can craft the request path to perform traversal and SSRF to the terminal server and potentially internal services. Two vectors...

7.7CVSS5.3AI score0.00349EPSS
Web
CVE
CVE
added 2026/05/15 7:48 p.m.27 views

CVE-2026-44555

Open WebUI (self-hosted AI platform) has a vulnerability where a model created with base_model_id can chain to a restricted base model without validating access to that base model. Before 0.9.0, during model creation, the system does not verify the creator’s permission on the referenced base mode...

7.6CVSS5.9AI score0.00248EPSS
CVE
CVE
added 2026/05/15 7:18 p.m.27 views

CVE-2026-45399

Open WebUI CVE-2026-45399 describes a broken authorization gap in multi-user deployments: before release 0.9.0, authenticated, low-privilege users could enumerate and stop global background tasks via GET /api/tasks and POST /api/tasks/stop/{task_id}, impacting integrity and availability across us...

7.1CVSS5.8AI score0.0027EPSS
Web
CVE
CVE
added 2026/05/15 7:41 p.m.26 views

CVE-2026-44559

Summary (CVE-2026-44559) Open WebUI’s channel membership endpoint has an access control flaw on standard channels. Prior to version 0.9.0, GET /api/v1/channels/{id}/members only enforced membership checks for channel types ‘group’ and ‘dm’; standard (including private) channels did not perform ch...

4.3CVSS5.8AI score0.00221EPSS
Web
CVE
CVE
added 2026/05/15 9:3 p.m.26 views

CVE-2026-44569

Open WebUI CVE-2026-44569 describes an IDOR in the channel messages management system. Before version 0.6.19, authenticated users could modify or delete any message in channels they can read because message ownership validation was missing in the backend update/delete endpoints, even though the f...

7.1CVSS5.8AI score0.00266EPSS
CVE
CVE
added 2026/05/15 9:40 p.m.25 views

CVE-2026-44565

CVE-2026-44565 affects Open WebUI prior to 0.6.10. The upload API derives the target path from the original HTTP upload filename without validation, enabling dot-segment path traversal and arbitrary file writes to locations the web server user can access. This is fixed in 0.6.10. Mitigation guida...

8.1CVSS5.8AI score0.00454EPSS
CVE
CVE
added 2026/05/15 9:31 p.m.25 views

CVE-2026-45314

Open WebUI vulnerability CVE-2026-45314 describes a stored XSS in the profile image handling for webhooks. Before version 0.9.3, the channel webhook create/update flow accepts data URLs (data:image/svg+xml;base64,...) for profile_image_url. The API then serves the decoded SVG as image/svg+xml wit...

7.4CVSS6AI score0.00212EPSS
CVE
CVE
added 2026/05/15 9:41 p.m.25 views

CVE-2026-45667

Open WebUI vulnerability CVE-2026-45667: Before version 0.8.0, the unauthenticated GET /api/v1/memories/ef could trigger EMBEDDING_FUNCTION(...) and cause embedding generation, potentially incurring costs if paid providers are used. The issue is rooted in exposing a cost/resource–intensive operat...

6.5CVSS5.8AI score0.00341EPSS
CVE
CVE
added 2026/05/15 8:0 p.m.24 views

CVE-2026-44550

Open WebUI prior to 0.9.0 vulnerable to mass assignment via Pydantic extra='allow' in FolderForm. The server constructs a FolderModel by merging attacker-controlled extra fields (from form_data.model_dump(exclude_unset=True)) over a server-populated user_id, and because user_id is a real field, a...

5CVSS6AI score0.00287EPSS
CVE
CVE
added 2026/05/15 7:43 p.m.24 views

CVE-2026-44558

Open WebUI contains a vulnerability in the channel access grants path prior to version 0.9.0. The channel router does not call filter_allowed_access_grants on create or update, allowing a non-admin user who can create or own a group channel to submit arbitrary access grants (including public wild...

5.4CVSS5.9AI score0.0019EPSS
CVE
CVE
added 2026/05/15 7:34 p.m.24 views

CVE-2026-44561

CVE-2026-44561 affects Open WebUI. The vulnerability arises in the is_user_channel_member check: before 0.9.0, the code verifies ChannelMember existence but ignores is_active, so deactivated members (status 'left', is_active=False) retain full read/write access to group/DM channels via direct API...

5.4CVSS5.8AI score0.00178EPSS
CVE
CVE
added 2026/05/15 9:24 p.m.24 views

CVE-2026-44571

CVE-2026-44571 concerns the Open WebUI platform. In standard channels, the endpoint POST /api/v1/channels/{channel_id}/messages/{message_id}/update could be invoked with only read permission if access_control is None, allowing unauthorized users to modify other users’ messages. The issue is fixed...

6.5CVSS5.8AI score0.00277EPSS
Web
CVE
CVE
added 2026/05/15 9:7 p.m.24 views

CVE-2026-45365

Open WebUI suffers a parameter binding flaw: an internal bypass_filter parameter was exposed in the HTTP handlers for /openai/chat/completions and /ollama/api/chat via FastAPI query binding. This allowed any authenticated user to append ?bypass_filter=true and skip the ACL check, enabling access ...

5.4CVSS5.8AI score0.00193EPSS
Web
CVE
CVE
added 2026/05/15 8:40 p.m.24 views

CVE-2026-45402

Open WebUI CVE-2026-45402 describes a cross-user file access/overwrite vulnerability in offline Open WebUI prior to 0.9.5. Two concrete paths allow attaching a victim’s file_id without verifying ownership: (1) folder knowledge ingestion via POST /api/v1/folders/{id}/update and (2) knowledge-base ...

8.1CVSS5.8AI score0.00346EPSS
Web
CVE
CVE
added 2026/05/15 7:26 p.m.23 views

CVE-2026-44564

Open WebUI (self-hosted offline AI platform) contains a vulnerability in the ydoc:document:update Socket.IO handler that allows read-only users to modify in-memory Yjs documents. The handler validates room membership but does not verify write permission, and read-only users join the document room...

5.4CVSS5.8AI score0.0022EPSS
CVE
CVE
added 2026/05/15 9:1 p.m.23 views

CVE-2026-44566

Open WebUI prior to version 0.1.124 is affected by an arbitrary file upload and path traversal vulnerability. The issue occurs in the /rag/api/v1/doc upload endpoint, where the uploaded file’s name is derived from the HTTP request and is not validated or sanitized, allowing dot-segments in the fi...

9.8CVSS5.8AI score0.00336EPSS
CVE
CVE
added 2026/05/15 7:22 p.m.23 views

CVE-2026-45331

CVE-2026-45331 concerns Open WebUI’s validate_url() in backend/open_webui/retrieval/web/utils.py, where a call to validators.ipv6(ip, private=True) raises a ValidationError due to the library not implementing the private keyword for IPv6. This causes IPv6 addresses to bypass the intended filter, ...

8.5CVSS5.8AI score0.00286EPSS
CVE
CVE
added 2026/05/15 7:20 p.m.23 views

CVE-2026-45349

Open WebUI had a broken access control issue for the completions API ( /api/chat/completions ) allowing a user to continue another user’s conversation if they knew the other user’s Chat ID. This privacy/policy bypass could expose private conversations. The issue affects prior to version 0.9.0 and...

7.1CVSS5.8AI score0.00231EPSS
Web
CVE
CVE
added 2026/05/15 8:2 p.m.22 views

CVE-2026-44721

CVE-2026-44721 documents a stored XSS in Open WebUI prior to version 0.9.0. The vulnerability arises from a flawed sanitizeResponseContent path that escapes HTML but does not neutralize a markdown link with a javascript: URI rendered via {@html}, enabling an authenticated user with workspace.mode...

7.3CVSS7.4AI score0.00308EPSS
CVE
CVE
added 2026/05/15 9:44 p.m.22 views

CVE-2026-45299

Open WebUI had a stored XSS vulnerability in the profile_image_url field on the user profile update form prior to version 0.8.0, due to lack of MIME-type validation for data URIs. Two attack paths were demonstrated: (1) data:text/html;base64… opened in a new tab, and (2) data:image/svg+xml;base64...

5.4CVSS5.9AI score0.00199EPSS
CVE
CVE
added 2026/05/15 9:46 p.m.22 views

CVE-2026-45338

Open WebUI CVE-2026-45338 describes an SSRF in _process_picture_url() (oauth.py) where the server fetches URLs from OAuth picture claims without validate_url(), enabling requests to internal resources and exfiltration of the full response. Affected software before the fix: Open WebUI prior to ver...

7.7CVSS6AI score0.00381EPSS
CVE
CVE
added 2026/05/15 8:29 p.m.22 views

CVE-2026-45385

Summary (grounded): Open WebUI (self-hosted offline AI) contains an IDOR vulnerability in the update_message_by_id API for channels of type group/dm. In these paths, the code only verifies that the caller is a channel member (is_user_channel_member) and does not confirm message ownership, enablin...

4.3CVSS5.8AI score0.00204EPSS
CVE
CVE
added 2026/05/15 8:40 p.m.22 views

CVE-2026-45400

CVE-2026-45400 relates to Open WebUI SSRF bypass in validate_url caused by a mismatch between urlparse and requests hostname handling. Before version 0.9.5, URLs like http://127.0.0.1:[email protected] could pass validation because hostname parsing treated the public IP (1.1.1.1) as the target, while ...

8.5CVSS5.8AI score0.00292EPSS
CVE
CVE
added 2026/06/23 4:42 p.m.22 views

CVE-2026-54018

Open WebUI (self-hosted offline AI) contains SSRF protection bypass in the Playwright Web Loader prior to version 0.9.6. The validator checks only the initial URL; Playwright follows redirects (301/302) by default, allowing an attacker-supplied URL that redirects to internal addresses (e.g., loca...

7.7CVSS5.9AI score0.00287EPSS
CVE
CVE
added 2026/05/15 9:45 p.m.21 views

CVE-2026-44549

CVE-2026-44549 details (Open WebUI) : Open WebUI before 0.8.0 previews Excel attachments unsafely. The XLSX payload can trigger sheet_to_html to embed an XSS payload, which is then inserted into the DOM via @html without sanitization, enabling stored XSS. The issue is resolved in version 0.8.0. R...

8.7CVSS5.8AI score0.00318EPSS
CVE
CVE
added 2026/05/15 7:54 p.m.21 views

CVE-2026-44553

Open WebUI (self-hosted offline AI) has a Socket.IO session cache vulnerability where admin role changes or user deletions are not propagated to active sessions. Prior to version 0.9.0, a user whose admin role was revoked can retain admin privileges within their existing Socket.IO session as long...

8.1CVSS5.8AI score0.00284EPSS
CVE
CVE
added 2026/05/15 7:46 p.m.21 views

CVE-2026-44556

Open WebUI vulnerability CVE-2026-44556 affects the /api/openai/responses endpoint, where the proxy forwards requests to upstream LLMs without enforcing per-model access control. Pre-0.9.0, any authenticated user could interact with any configured model by POSTing to /responses with an arbitrary ...

7.1CVSS6AI score0.00306EPSS
Web
CVE
CVE
added 2026/05/15 7:30 p.m.21 views

CVE-2026-44562

Open WebUI vulnerability CVE-2026-44562 affects the model import flow. Before version 0.9.0, POST /api/v1/models/import allowed users with workspace.models_import to overwrite any existing model without ownership checks, merging the attacker payload into the target model when IDs match, and bypas...

6.5CVSS5.8AI score0.0029EPSS
Web
CVE
CVE
added 2026/05/15 9:29 p.m.21 views

CVE-2026-45317

CVE-2026-45317 describes an application-wide CSRF vector in Open WebUI’s image handling prior to 0.9.3. An authenticated user can influence image URL rendering so that viewing a compromised image causes the user’s browser to issue GET requests to an attacker-controlled URL, potentially leaking co...

4.6CVSS5.8AI score0.00165EPSS
Total number of security vulnerabilities89