Lucene search
K

94 matches found

CVE
CVE
added 2026/05/15 9:1 p.m.23 views

CVE-2026-44566

Open WebUI prior to version 0.1.124 is affected by an arbitrary file upload and path traversal vulnerability. The issue occurs in the /rag/api/v1/doc upload endpoint, where the uploaded file’s name is derived from the HTTP request and is not validated or sanitized, allowing dot-segments in the fi...

9.8CVSS5.8AI score0.00336EPSS
CVE
CVE
added 2026/05/15 9:9 p.m.23 views

CVE-2026-45351

Open WebUI vulnerability CVE-2026-45351: A non-admin user could trigger a request to /api/models? and receive the system prompt of available models, revealing admin-set backend prompts and compromising confidentiality. This affects Open WebUI self-hosted offline AI platform versions prior to 0.8....

6.5CVSS5.8AI score0.00281EPSS
CVE
CVE
added 2026/06/23 4:51 p.m.23 views

CVE-2026-54007

CVE-2026-54007 describes a cross-origin postMessage bypass in Open WebUI prior to version 0.9.6. The root cause is a chat input/submit flow in the Chat.svelte window message listener that accepts non-same-origin messages (input:prompt and action:submit) and forwards them to submitPrompt(), enabli...

7.1CVSS5.8AI score0.00162EPSS
Web
CVE
CVE
added 2026/06/23 4:50 p.m.23 views

CVE-2026-54008

Summary of CVE-2026-54008 (Open WebUI) : The vulnerable code path in backend/open_webui/utils/oauth.py::_process_picture_url validates only the initial picture_url and then fetches it with aiohttp (session.get) using default redirect-follow behavior. This enables an attacker with a valid OAuth Id...

8.5CVSS5.9AI score0.00203EPSS
CVE
CVE
added 2026/06/23 4:38 p.m.23 views

CVE-2026-54022

Summary (grounded in provided sources): Open WebUI prior to version 0.8.11 has a logic bug in the ydoc:document:join handler: authorization is only enforced for document IDs starting with the prefix note:. The YdocManager stores documents using a normalized key where colons are replaced with unde...

5.3CVSS5.9AI score0.00268EPSS
CVE
CVE
added 2025/12/04 7:55 p.m.22 views

CVE-2025-65958

Open WebUI (self-hosted offline AI platform) is affected by a Server-Side Request Forgery (SSRF) in the /api/v1/retrieval/process/web endpoint. The vulnerability allows any authenticated user to force the server to fetch arbitrary URLs, enabling access to internal/cloud metadata endpoints (e.g., ...

8.5CVSS6.5AI score0.04117EPSS
CVE
CVE
added 2026/03/26 11:54 p.m.22 views

CVE-2026-29071

CVE-2026-29071 affects Open WebUI. Before v0.8.6, any authenticated user could read other users’ private memories via the vulnerable endpoint /api/v1/retrieval/query/collection, enabling exposure of documents, memories, and user metadata. The root cause is missing authorization in collection quer...

4.3CVSS5.8AI score0.00253EPSS
CVE
CVE
added 2026/05/15 9:45 p.m.22 views

CVE-2026-44549

CVE-2026-44549 details (Open WebUI) : Open WebUI before 0.8.0 previews Excel attachments unsafely. The XLSX payload can trigger sheet_to_html to embed an XSS payload, which is then inserted into the DOM via @html without sanitization, enabling stored XSS. The issue is resolved in version 0.8.0. R...

8.7CVSS5.8AI score0.00318EPSS
CVE
CVE
added 2026/05/15 7:46 p.m.22 views

CVE-2026-44556

Open WebUI vulnerability CVE-2026-44556 affects the /api/openai/responses endpoint, where the proxy forwards requests to upstream LLMs without enforcing per-model access control. Pre-0.9.0, any authenticated user could interact with any configured model by POSTing to /responses with an arbitrary ...

7.1CVSS6AI score0.00306EPSS
Web
CVE
CVE
added 2026/05/15 9:21 p.m.22 views

CVE-2026-45303

Open WebUI vulnerability CVE-2026-45303: Stored XSS via the HTML rendering view affects Open WebUI prior to 0.6.5. The frontend renders chat HTML inside an iframe with sandbox=

7.7CVSS5.9AI score0.00217EPSS
CVE
CVE
added 2026/05/15 9:30 p.m.22 views

CVE-2026-45316

Summary (Open WebUI CVE-2026-45316): A permission check bug in the POST /api/v1/notes/{id}/pin endpoint allows read-only users to toggle a note’s is_pinned state because it checks read permission instead of write. The issue occurs in Open WebUI prior to 0.9.3 and is fixed in 0.9.3. The vulnerabil...

3.5CVSS5.8AI score0.00218EPSS
Web
CVE
CVE
added 2026/05/15 9:28 p.m.22 views

CVE-2026-45318

CVE-2026-45318 is an Open WebUI stored XSS vulnerability. The root cause is rendering unsanitized HTML produced from Excel/DOCX previews (XLSX.utils.sheet_to_html) via {@html excelHtml} or fileOfficeHtml without DOMPurify. This affects Open WebUI versions prior to 0.9.3, where an attacker-uploade...

5.4CVSS5.8AI score0.00209EPSS
CVE
CVE
added 2026/05/15 9:46 p.m.22 views

CVE-2026-45338

Open WebUI CVE-2026-45338 describes an SSRF in _process_picture_url() (oauth.py) where the server fetches URLs from OAuth picture claims without validate_url(), enabling requests to internal resources and exfiltration of the full response. Affected software before the fix: Open WebUI prior to ver...

7.7CVSS6AI score0.00381EPSS
Web
CVE
CVE
added 2026/05/15 9:17 p.m.22 views

CVE-2026-45345

Open WebUI (self-hosted AI platform) has a vulnerability in the model update function prior to version 0.5.7 where an attacker could modify another user’s private model by changing access permissions during editing. The issue is confirmed in multiple sources (CVE-2026-45345, GHSA-gm54-m39w-grjp, ...

6.5CVSS5.8AI score0.00226EPSS
CVE
CVE
added 2026/05/15 8:33 p.m.22 views

CVE-2026-45396

Summary of technical details (CVE-2026-45396) Open WebUI v0.9.2 is vulnerable to mass assignment in the endpoint POST /api/v1/evaluations/feedback through a FeedbackForm that uses extra='allow'. The root cause is an insecure dictionary merge order in insert_new_feedback(), where the form data can...

5.4CVSS5.9AI score0.00307EPSS
Web
CVE
CVE
added 2026/05/15 9:7 p.m.22 views

CVE-2026-45666

CVE-2026-45666 — Open WebUI IDOR in notes endpoint : The API /api/v1/notes/{note_id} allowed authenticated users to read other users’ notes by guessing UUIDs prior to version 0.8.11, enabling unauthorized data disclosure. The issue is fixed in 0.8.11; per-id endpoints now enforce ownership (admin...

6.5CVSS5.8AI score0.00277EPSS
Web
CVE
CVE
added 2026/05/15 7:44 p.m.21 views

CVE-2026-44557

Open WebUI before v0.9.0 is vulnerable to global knowledge-base enumeration through the retrieval query endpoints. The _validate_collection_access function uses an incomplete allowlist that only enforces ownership for collections starting with user-memory- or file-, allowing any authenticated use...

4.3CVSS5.8AI score0.00221EPSS
CVE
CVE
added 2026/05/15 8:59 p.m.21 views

CVE-2026-44567

Open WebUI improperly authorizes users with a pending role. The CVE describes that prior to v0.1.124 the API does not validate that a user has an authorized role, allowing a pending user to access endpoints intended for authenticated users. Technical details show get_current_user() validates JWTs...

7.3CVSS5.8AI score0.0023EPSS
CVE
CVE
added 2026/05/15 9:19 p.m.21 views

CVE-2026-45301

Open WebUI (self-hosted AI platform) is affected by CVE-2026-45301 due to a missing permission check in all files-related API endpoints. Before version 0.3.16, any authenticated user could list, access, and delete files uploaded by any user via the /api/v1/files endpoints, exposing confidential d...

8.1CVSS5.8AI score0.00273EPSS
CVE
CVE
added 2026/05/15 8:33 p.m.21 views

CVE-2026-45395

Summary: CVE-2026-45395 (Open WebUI) is a missing authorization check on the tool update endpoint. Before 0.9.5, POST /api/v1/tools/id/{id}/update validates only a write-grant for the tool and does not enforce the workspace.tools permission, unlike the create endpoint which requires workspace.too...

7.2CVSS6.2AI score0.00437EPSS
Web
CVE
CVE
added 2026/06/23 4:46 p.m.21 views

CVE-2026-54013

CVE-2026-54013 describes a stored XSS in Open WebUI where the model profile image URL could be a data:image/svg+xml;base64 payload. The root cause is missing input validation on ModelMeta.profile_image_url and missing output protections in the model image endpoint (no MIME allowlist, no nosniff, ...

7.6CVSS5.8AI score0.00174EPSS
CVE
CVE
added 2026/06/23 4:39 p.m.21 views

CVE-2026-54021

Summary: Open WebUI prior to 0.9.6 allows any authenticated user to direct requests to arbitrary Ollama backends by appending a caller-supplied url_idx, bypassing backend-level isolation and possibly reaching restricted or disabled backends. The issue arises on index-addressed Ollama proxy routes...

6.3CVSS6AI score0.0021EPSS
CVE
CVE
added 2026/05/15 9:5 p.m.20 views

CVE-2026-44570

CVE-2026-44570 affects Open WebUI prior to version 0.6.19, where authorization controls around the memories API were inconsistent. A non-admin user could query, view, delete, or attempt to modify another user’s memories via endpoints such as POST /api/v1/memories/query, POST /api/v1/memories/{mem...

8.3CVSS5.8AI score0.00294EPSS
Web
CVE
CVE
added 2026/05/15 9:15 p.m.20 views

CVE-2026-45346

Open WebUI (self-hosted offline AI platform) prior to version 0.6.31 contains a stored Cross‑Site Scripting (XSS) vulnerability in its SVG renderer. The issue allows attackers to save and execute injected HTML/JavaScript in the application context, potentially leading to data exposure or manipula...

5.4CVSS5.8AI score0.00165EPSS
CVE
CVE
added 2026/05/15 9:26 p.m.19 views

CVE-2026-45315

Open WebUI (self-hosted offline AI platform) is affected by CVE-2026-45315. Before version 0.9.3, the audio transcription upload endpoint accepts a user-supplied filename extension and saves the file under CACHE_DIR/audio/transcriptions, then serves /cache/{path} via FileResponse using the on-dis...

8.7CVSS5.8AI score0.0018EPSS
CVE
CVE
added 2026/06/23 4:45 p.m.19 views

CVE-2026-54014

Open WebUI (open-webui/open-webui) before version 0.9.6 is affected by a sibling-prefix path traversal in the cache file endpoint. The vulnerability stems from serve_cache_file() validating the absolute path with file_path.startswith(os.path.abspath(CACHE_DIR)) without appending a trailing path s...

4.3CVSS5.9AI score0.00244EPSS
CVE
CVE
added 2026/06/23 4:43 p.m.19 views

CVE-2026-54016

CVE-2026-54016 : Open WebUI (self-hosted offline AI platform) suffers a Broken Object Level Authorization in the builtin search_knowledge_files tool. When native function calling is enabled and a model has no attached knowledge bases, an authenticated user can supply an arbitrary knowledge_id and...

4.3CVSS6AI score0.00226EPSS
CVE
CVE
added 2026/02/19 7:10 p.m.18 views

CVE-2026-26192

Open WebUI (self-hosted offline) before v0.7.0 allows stored XSS via a crafted document payload by modifying chat history to set html in document metadata; the frontend treats contents as HTML and renders in an iframe during citation preview or shared chat view. Version 0.7.0 fixes the issue. No ...

7.3CVSS5.6AI score0.00194EPSS
CVE
CVE
added 2026/02/19 7:15 p.m.17 views

CVE-2026-26193

Open WebUI (self-hosted, offline) is affected prior to v0.6.44. The vulnerability arises from allowing manual modification of chat history to set the embeds property on a response message, which is loaded into an iframe with an aggressive sandbox (allow-scripts and allow-same-origin) that bypasse...

7.3CVSS5.5AI score0.00198EPSS
CVE
CVE
added 2026/05/15 9:12 p.m.17 views

CVE-2026-45347

CVE-2026-45347 concerns Open WebUI, a self-hosted offline AI platform. The vulnerability is a blind server-side request forgery (SSRF) via the PDF generate function, where user inputs embedded in the PDF are processed as HTML. Tests show most dangerous tags (e.g., iframe, object) are blocked, but...

5.4CVSS5.8AI score0.00186EPSS
CVE
CVE
added 2026/03/26 11:37 p.m.16 views

CVE-2026-28786

Open WebUI is a self-hosted offline AI platform. CVE-2026-28786 affects versions prior to 0.8.6, where an unsanitized filename field in the speech-to-text transcription endpoint allows any authenticated non-admin user to trigger a FileNotFoundError. The error message can include the server’s abso...

4.3CVSS5.8AI score0.00427EPSS
CVE
CVE
added 2026/06/23 4:44 p.m.16 views

CVE-2026-54015

Open WebUI vulnerability CVE-2026-54015 : Before 0.9.6, the prompt history IDOR flaw allows cross-prompt access via /api/v1/prompts/id/{prompt_id}/history/diff, /update/version, and /history/{history_id}. Although the URL is bound to a prompt, the server fetches history entries globally by ID wit...

6.4CVSS5.9AI score0.00169EPSS
Web
CVE
CVE
added 2 days ago16 views

CVE-2026-59224

Open WebUI vulnerability CVE-2026-59224 affects versions prior to 0.10.0. The issue: in backend/open_webui/routers/terminals.py, the ws_terminal upstream URL is built from an unencoded session_id and appends user_id as a query parameter, enabling query injection to make the terminal backend resol...

8CVSS6AI score0.00288EPSS
CVE
CVE
added 2026/06/23 4:50 p.m.15 views

CVE-2026-54006

Open WebUI prior to version 0.9.6 is vulnerable to an IDOR in the calendar events update endpoint. The vulnerability arises because POST /api/v1/calendars/events/{event_id}/update validates write access to the source calendar but does not validate the destination calendar_id in the request body, ...

4.3CVSS5.9AI score0.00179EPSS
Web
CVE
CVE
added 2026/06/23 4:48 p.m.15 views

CVE-2026-54010

CVE-2026-54010 affects Open WebUI prior to version 0.9.6. An authenticated user could attach arbitrary file_id values to their own chat messages without ownership/read checks, and then leverage a forged chat-file link to access or delete the victim’s file via shared-chat authorization. The root c...

8.3CVSS6AI score0.00241EPSS
CVE
CVE
added 2025/12/04 8:46 p.m.14 views

CVE-2025-65959

CVE-2025-65959 concerns a stored XSS in Open WebUI’s Notes PDF download feature. The vulnerability arises when HTML content from a Markdown note is assigned directly to innerHTML during PDF generation, enabling arbitrary JavaScript execution (e.g., SVG-based payloads) and session-token theft. Exp...

8.7CVSS6.4AI score0.002EPSS
CVE
CVE
added 2026/03/26 11:38 p.m.13 views

CVE-2026-28788

Open WebUI vulnerability CVE-2026-28788 affects the self-hosted Open WebUI AI platform. Before version 0.8.6, an authenticated user can overwrite any file’s content by ID via POST /api/v1/retrieval/process/files/batch. The endpoint performs no ownership check, enabling a user with read access to ...

7.1CVSS5.8AI score0.02858EPSS
Web
CVE
CVE
added 2026/03/26 11:39 p.m.13 views

CVE-2026-29070

Open WebUI (self-hosted offline AI platform) prior to version 0.8.6 lacks proper access control when deleting files from a knowledge base. The only check is that the user has write access to the knowledge base or is an admin; no verification that the target file belongs to that knowledge base. As...

8.1CVSS5.9AI score0.00252EPSS
CVE
CVE
added 2026/04/01 5:2 p.m.12 views

CVE-2026-34222

Affected product: Open WebUI, a self-hosted offline AI platform. Issue: broken access control in tool values prior to version 0.8.11. Impact: potential exposure due to access control bypass; CVSS 3.1 base score 7.7 (HIGH) with Network attack vector, low privileges required, no user interaction, c...

7.7CVSS5.8AI score0.05271EPSS
CVE
CVE
added 2026/06/23 4:47 p.m.12 views

CVE-2026-54011

Open WebUI vulnerability CVE-2026-54011 is a stored XSS in Mermaid Markdown Preview. Affected versions include main and 0.8.12; the Mermaid rendering uses securityLevel: 'loose' and injects SVG via innerHTML in the file preview path, enabling JavaScript execution in the app origin. The issue is c...

8.7CVSS6AI score0.002EPSS
CVE
CVE
added 2 days ago10 views

CVE-2026-59223

Open WebUI vulnerability CVE-2026-59223 affects the WEB_FETCH_FILTER_LIST logic prior to 0.10.0, allowing path-based blocklist bypasses (e.g., !internal.example.com in a URL path) and misalignment with hostname policy for sibling-domain matches. The issue is fixed in version 0.10.0. Impact is a p...

4.3CVSS6AI score0.00233EPSS
CVE
CVE
added 2 days ago8 views

CVE-2026-59214

Open WebUI (self-hosted AI platform) is affected by a vulnerability described as a stored web worker XSS via Pyodide. Prior to version 0.10.0, the platform runs client-side Python with Pyodide inside a same-origin web worker, which could allow stored chat payloads using pyodide.http.pyfetch or th...

9CVSS6.1AI score0.00246EPSS
CVE
CVE
added 2 days ago8 views

CVE-2026-59217

Open WebUI prior to version 0.10.0 allowed a metadata.knowledge_id value in file uploads to auto-link files to a knowledge base, bypassing the write-access check on /api/v1/knowledge//file/add. This enabled read-only knowledge-base users to add arbitrary files. The issue is fixed in version 0.10....

4.3CVSS6AI score0.00268EPSS
Web
CVE
CVE
added 2 days ago8 views

CVE-2026-59218

Open WebUI prior to version 0.10.0 exposed an account enumeration flaw in the /api/v1/auths/signin endpoint. The login flow looked up users by email and only performed bcrypt verification when a credential existed, causing registered accounts to respond more slowly than missing email attempts. Th...

5.3CVSS5.9AI score0.00244EPSS
Web
Total number of security vulnerabilities94