{"url":"http://public2.vulnerablecode.io/api/packages/374521?format=json","purl":"pkg:pypi/open-webui@0.8.6","type":"pypi","namespace":"","name":"open-webui","version":"0.8.6","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"0.8.9","latest_non_vulnerable_version":"0.9.5","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74048?format=json","vulnerability_id":"VCID-4rz6-hw32-jueb","summary":"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id). Version 0.8.6 patches the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29070","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16175","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29070"},{"reference_url":"https://github.com/open-webui/open-webui","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/open-webui/open-webui"},{"reference_url":"https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/knowledge.py#L803","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/knowledge.py#L803"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29070","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29070"},{"reference_url":"https://github.com/open-webui/open-webui/security/advisories/GHSA-26gm-93rw-cchf","reference_id":"GHSA-26gm-93rw-cchf","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:49:47Z/"}],"url":"https://github.com/open-webui/open-webui/security/advisories/GHSA-26gm-93rw-cchf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374521?format=json","purl":"pkg:pypi/open-webui@0.8.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.6"}],"aliases":["CVE-2026-29070","GHSA-26gm-93rw-cchf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4rz6-hw32-jueb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74010?format=json","vulnerability_id":"VCID-7nbc-ng1s-suck","summary":"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users' private memories via `/api/v1/retrieval/query/collection`. Version 0.8.6 patches the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29071","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02291","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29071"},{"reference_url":"https://github.com/open-webui/open-webui","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/open-webui/open-webui"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29071","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29071"},{"reference_url":"https://github.com/open-webui/open-webui/security/advisories/GHSA-w9f8-gxf9-rhvw","reference_id":"GHSA-w9f8-gxf9-rhvw","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T20:06:23Z/"}],"url":"https://github.com/open-webui/open-webui/security/advisories/GHSA-w9f8-gxf9-rhvw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374521?format=json","purl":"pkg:pypi/open-webui@0.8.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.6"}],"aliases":["CVE-2026-29071","GHSA-w9f8-gxf9-rhvw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7nbc-ng1s-suck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69322?format=json","vulnerability_id":"VCID-8n6u-wgz9-1bgj","summary":"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an unsanitized filename field in the speech-to-text transcription endpoint allows any authenticated non-admin user to trigger a `FileNotFoundError` whose message — including the server's absolute `DATA_DIR` path — is returned verbatim in the HTTP 400 response body, confirming information disclosure on all default deployments. Version 0.8.6 patches the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28786","reference_id":"","reference_type":"","scores":[{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11302","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28786"},{"reference_url":"https://github.com/open-webui/open-webui","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/open-webui/open-webui"},{"reference_url":"https://github.com/open-webui/open-webui/commit/387225eb8b3906909436004f84fff1b012e067d4","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/open-webui/open-webui/commit/387225eb8b3906909436004f84fff1b012e067d4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28786","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28786"},{"reference_url":"https://github.com/open-webui/open-webui/security/advisories/GHSA-vvxm-vxmr-624h","reference_id":"GHSA-vvxm-vxmr-624h","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T13:27:12Z/"}],"url":"https://github.com/open-webui/open-webui/security/advisories/GHSA-vvxm-vxmr-624h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374521?format=json","purl":"pkg:pypi/open-webui@0.8.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.6"}],"aliases":["CVE-2026-28786","GHSA-vvxm-vxmr-624h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8n6u-wgz9-1bgj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70089?format=json","vulnerability_id":"VCID-pwsg-72yy-quhk","summary":"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, there is a vulnerability in chat completion API, which allows attackers to bypass tool restrictions, potentially enabling unauthorized actions or access. In the chat_completion API, the parameters tool_ids and tool_servers are supplied by the user. These parameters are used to create a tools_dict by the middleware. This is then used by get_tool_by_id to retrieve the appropriate tool. However, there is no checks in that ensures the user that uses the API has permission to use the tool, meaning that a user can invoke any server tool by supplying the correct tool_id or tool_servers parameters via the chat completion API. Moreover, the authentication token stored in the server would be used when invoking the tool, so the tool will be invoked with the server privilege. This vulnerability is fixed in 0.8.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45350","reference_id":"","reference_type":"","scores":[{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.14042","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45350"},{"reference_url":"https://github.com/open-webui/open-webui","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/open-webui/open-webui"},{"reference_url":"https://github.com/open-webui/open-webui/commit/4737e1f11","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/open-webui/open-webui/commit/4737e1f11"},{"reference_url":"https://github.com/open-webui/open-webui/releases/tag/v0.8.6","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/open-webui/open-webui/releases/tag/v0.8.6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45350","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45350"},{"reference_url":"https://github.com/open-webui/open-webui/security/advisories/GHSA-4pcg-253r-rf9w","reference_id":"GHSA-4pcg-253r-rf9w","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-15T22:18:20Z/"}],"url":"https://github.com/open-webui/open-webui/security/advisories/GHSA-4pcg-253r-rf9w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374521?format=json","purl":"pkg:pypi/open-webui@0.8.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.6"}],"aliases":["CVE-2026-45350","GHSA-4pcg-253r-rf9w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pwsg-72yy-quhk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69478?format=json","vulnerability_id":"VCID-u25g-p4nx-gqd1","summary":"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file's content by ID through the `POST /api/v1/retrieval/process/files/batch` endpoint. The endpoint performs no ownership check, so a regular user with read access to a shared knowledge base can obtain file UUIDs via `GET /api/v1/knowledge/{id}/files` and then overwrite those files, escalating from read to write. The overwritten content is served to the LLM via RAG, meaning the attacker controls what the model tells other users. Version 0.8.6 patches the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28788","reference_id":"","reference_type":"","scores":[{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.0527","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28788"},{"reference_url":"https://github.com/open-webui/open-webui","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/open-webui/open-webui"},{"reference_url":"https://github.com/open-webui/open-webui/releases/tag/v0.8.6","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/open-webui/open-webui/releases/tag/v0.8.6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28788","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28788"},{"reference_url":"https://github.com/open-webui/open-webui/security/advisories/GHSA-jjp7-g2jw-wh3j","reference_id":"GHSA-jjp7-g2jw-wh3j","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T20:08:10Z/"}],"url":"https://github.com/open-webui/open-webui/security/advisories/GHSA-jjp7-g2jw-wh3j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374521?format=json","purl":"pkg:pypi/open-webui@0.8.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.6"}],"aliases":["CVE-2026-28788","GHSA-jjp7-g2jw-wh3j"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u25g-p4nx-gqd1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67692?format=json","vulnerability_id":"VCID-ujye-g4rj-8be5","summary":"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, in standard channels (i.e., channels whose channel.type is neither group nor dm), the endpoint POST /api/v1/channels/{channel_id}/messages/{message_id}/update can be accessed with read permission only. When access_control is set to None, the authorization check has_access(..., type=\"read\") evaluates to True, allowing users who are not the message owner to update messages. As a result, unauthorized modification of other users’ messages is possible. This vulnerability is fixed in 0.8.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44571","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01458","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44571"},{"reference_url":"https://github.com/open-webui/open-webui","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/open-webui/open-webui"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44571","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44571"},{"reference_url":"https://github.com/open-webui/open-webui/security/advisories/GHSA-jgj3-r8hr-9pjw","reference_id":"GHSA-jgj3-r8hr-9pjw","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-15T22:18:47Z/"}],"url":"https://github.com/open-webui/open-webui/security/advisories/GHSA-jgj3-r8hr-9pjw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374521?format=json","purl":"pkg:pypi/open-webui@0.8.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.6"}],"aliases":["CVE-2026-44571","GHSA-jgj3-r8hr-9pjw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ujye-g4rj-8be5"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.6"}