Search
Find a vulnerability
Search criteria
270 vulnerabilities by open-webui
CVE-2026-56400 (GCVE-0-2026-56400)
Vulnerability from nvd – Published: 2026-07-15 11:25 – Updated: 2026-07-15 11:25
VLAI
EPSS
VEX
Title
open-webui - Remote Code Execution via CORS Misconfiguration and Session Validation
Summary
open-webui before 0.3.14 contains a cross-origin resource sharing misconfiguration allowing arbitrary origins with allow_origins=* and authenticated requests to the /api/v1/functions endpoint. Attackers can execute arbitrary code on the openwebui instance by crafting malicious cross-site requests from attacker-controlled websites when an admin user visits them.
Severity
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | vendor-advisory |
| https://www.vulncheck.com/advisories/open-webui-r… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
0 , < 0.3.14
(semver)
Unaffected: 0.3.14 (semver) |
Date Public
2026-05-05 00:00
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:pypi/open-webui",
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"lessThan": "0.3.14",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "0.3.14",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2026-05-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "open-webui before 0.3.14 contains a cross-origin resource sharing misconfiguration allowing arbitrary origins with allow_origins=* and authenticated requests to the /api/v1/functions endpoint. Attackers can execute arbitrary code on the openwebui instance by crafting malicious cross-site requests from attacker-controlled websites when an admin user visits them."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T11:25:31.421Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-6xcp-7mpr-m7wm)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-6xcp-7mpr-m7wm"
},
{
"name": "VulnCheck Advisory: open-webui - Remote Code Execution via CORS Misconfiguration and Session Validation",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/open-webui-remote-code-execution-via-cors-misconfiguration-and-session-validation"
}
],
"title": "open-webui - Remote Code Execution via CORS Misconfiguration and Session Validation",
"x_generator": {
"engine": "vulncheck-endgame"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-56400",
"datePublished": "2026-07-15T11:25:31.421Z",
"dateReserved": "2026-06-21T12:37:58.435Z",
"dateUpdated": "2026-07-15T11:25:31.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-56398 (GCVE-0-2026-56398)
Vulnerability from nvd – Published: 2026-07-15 11:25 – Updated: 2026-07-15 13:25
VLAI
EPSS
VEX
Title
Open WebUI - Stored Cross-Site Scripting via OAuth Picture Claim SVG Data URI
Summary
Open WebUI before 0.9.5 contains a stored cross-site scripting vulnerability in the OAuth authentication flow where the picture claim URL MIME type is inferred from file extension rather than Content-Type header, allowing SVG files to bypass the profile image validator and be stored as data URIs. Authenticated users who visit the profile image endpoint receive attacker-controlled SVG content with inline disposition and no default security headers, enabling script execution in the same origin to steal authentication tokens and achieve account takeover.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | vendor-advisory |
| https://www.vulncheck.com/advisories/open-webui-s… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
0 , < 0.9.5
(semver)
Unaffected: 0.9.5 (semver) |
Date Public
2026-05-10 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-56398",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T13:20:08.460857Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T13:25:55.678Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:pypi/open-webui",
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"lessThan": "0.9.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "0.9.5",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.9.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "matte1782"
}
],
"datePublic": "2026-05-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Open WebUI before 0.9.5 contains a stored cross-site scripting vulnerability in the OAuth authentication flow where the picture claim URL MIME type is inferred from file extension rather than Content-Type header, allowing SVG files to bypass the profile image validator and be stored as data URIs. Authenticated users who visit the profile image endpoint receive attacker-controlled SVG content with inline disposition and no default security headers, enabling script execution in the same origin to steal authentication tokens and achieve account takeover."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T11:25:30.722Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-3wgj-c2hg-vm6q)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3wgj-c2hg-vm6q"
},
{
"name": "VulnCheck Advisory: Open WebUI - Stored Cross-Site Scripting via OAuth Picture Claim SVG Data URI",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/open-webui-stored-cross-site-scripting-via-oauth-picture-claim-svg-data-uri"
}
],
"title": "Open WebUI - Stored Cross-Site Scripting via OAuth Picture Claim SVG Data URI",
"x_generator": {
"engine": "vulncheck-endgame"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-56398",
"datePublished": "2026-07-15T11:25:30.722Z",
"dateReserved": "2026-06-21T12:37:58.435Z",
"dateUpdated": "2026-07-15T13:25:55.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59221 (GCVE-0-2026-59221)
Vulnerability from nvd – Published: 2026-07-09 17:13 – Updated: 2026-07-09 18:09
VLAI
EPSS
VEX
Title
open-webui terminal proxy path traversal guard bypass via 9x encoded traversal
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _sanitize_proxy_path in backend/open_webui/routers/terminals.py decoded proxy paths only eight times, allowing a nine-times percent-encoded ../ traversal value to pass normalization checks and be decoded by the upstream terminal server. This issue is fixed in version 0.10.0.
Severity
7.7 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/26050 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/0… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
>= 0.9.6, < 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59221",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T18:09:16.352793Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T18:09:19.712Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-frvj-c5qp-xj4w"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.9.6, \u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _sanitize_proxy_path in backend/open_webui/routers/terminals.py decoded proxy paths only eight times, allowing a nine-times percent-encoded ../ traversal value to pass normalization checks and be decoded by the upstream terminal server. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:13:36.193Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-frvj-c5qp-xj4w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-frvj-c5qp-xj4w"
},
{
"name": "https://github.com/open-webui/open-webui/pull/26050",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/26050"
},
{
"name": "https://github.com/open-webui/open-webui/commit/05098d25a58d03738e01c4e85e8852c3b4ad849c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/05098d25a58d03738e01c4e85e8852c3b4ad849c"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-frvj-c5qp-xj4w",
"discovery": "UNKNOWN"
},
"title": "open-webui terminal proxy path traversal guard bypass via 9x encoded traversal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59221",
"datePublished": "2026-07-09T17:13:36.193Z",
"dateReserved": "2026-07-02T21:05:02.925Z",
"dateUpdated": "2026-07-09T18:09:19.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59715 (GCVE-0-2026-59715)
Vulnerability from nvd – Published: 2026-07-09 16:16 – Updated: 2026-07-09 17:29
VLAI
EPSS
VEX
Title
Open WebUI: Unauthenticated WebSocket Access to Collaborative Document Handlers (ydoc:awareness:update, ydoc:document:leave)
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.16 before 0.10.0, the Socket.IO server is configured with always_connect=True. The ydoc:awareness:update and ydoc:document:leave Socket.IO handlers accepted collaborative-document events without requiring an authenticated user, allowing unauthorized manipulation of document collaboration state. This issue is fixed in version 0.10.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/25946 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/2… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
>= 0.6.16, < 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59715",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:29:40.961598Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:29:46.103Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gmfw-g93r-vg53"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.6.16, \u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.16 before 0.10.0, the Socket.IO server is configured with always_connect=True. The ydoc:awareness:update and ydoc:document:leave Socket.IO handlers accepted collaborative-document events without requiring an authenticated user, allowing unauthorized manipulation of document collaboration state. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:16:02.977Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gmfw-g93r-vg53",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gmfw-g93r-vg53"
},
{
"name": "https://github.com/open-webui/open-webui/pull/25946",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/25946"
},
{
"name": "https://github.com/open-webui/open-webui/commit/22f2fe1ffb66c993dad1e0b2b35514acaed2370e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/22f2fe1ffb66c993dad1e0b2b35514acaed2370e"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-gmfw-g93r-vg53",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Unauthenticated WebSocket Access to Collaborative Document Handlers (ydoc:awareness:update, ydoc:document:leave)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59715",
"datePublished": "2026-07-09T16:16:02.977Z",
"dateReserved": "2026-07-06T15:34:16.916Z",
"dateUpdated": "2026-07-09T17:29:46.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59227 (GCVE-0-2026-59227)
Vulnerability from nvd – Published: 2026-07-09 15:56 – Updated: 2026-07-14 00:58
VLAI
EPSS
VEX
Title
Open WebUI: POST /api/v1/images/edit bypasses the global image-edit switch and the per-user image-generation permission
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.11 before 0.10.0, POST /api/v1/images/edit required only a verified account and did not enforce the global image-edit switch or the per-user image-generation permission, allowing a non-admin user to invoke server-side image editing with administrator-configured provider credentials. This issue is fixed in version 0.10.0.
Severity
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/26009 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/e… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
>= 0.8.11, < 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59227",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T00:21:12.800213Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T00:58:25.667Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-rqj7-6wrp-6g2g"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.8.11, \u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.11 before 0.10.0, POST /api/v1/images/edit required only a verified account and did not enforce the global image-edit switch or the per-user image-generation permission, allowing a non-admin user to invoke server-side image editing with administrator-configured provider credentials. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:56:44.042Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-rqj7-6wrp-6g2g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-rqj7-6wrp-6g2g"
},
{
"name": "https://github.com/open-webui/open-webui/pull/26009",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/26009"
},
{
"name": "https://github.com/open-webui/open-webui/commit/e038bab66dec8d17212eec35b5cb6d6b785a4200",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/e038bab66dec8d17212eec35b5cb6d6b785a4200"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-rqj7-6wrp-6g2g",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: POST /api/v1/images/edit bypasses the global image-edit switch and the per-user image-generation permission"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59227",
"datePublished": "2026-07-09T15:56:44.042Z",
"dateReserved": "2026-07-02T21:05:02.925Z",
"dateUpdated": "2026-07-14T00:58:25.667Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59226 (GCVE-0-2026-59226)
Vulnerability from nvd – Published: 2026-07-09 16:06 – Updated: 2026-07-09 18:08
VLAI
EPSS
VEX
Title
Open WebUI: Scheduled automations continue after pending-user deactivation and stored model ACL revocation
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0, execute_automation rehydrated automation owners without rechecking that they were still active or still had features.automations, and check_model_access only enforced private-model grants for the exact user role, allowing deactivated pending users to continue scheduled model execution. This issue is fixed in version 0.10.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/26047 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/9… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
>= 0.9.0, < 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59226",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T18:05:13.017696Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T18:08:30.890Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.9.0, \u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0, execute_automation rehydrated automation owners without rechecking that they were still active or still had features.automations, and check_model_access only enforced private-model grants for the exact user role, allowing deactivated pending users to continue scheduled model execution. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:06:55.927Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-mvx4-532p-xfm9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-mvx4-532p-xfm9"
},
{
"name": "https://github.com/open-webui/open-webui/pull/26047",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/26047"
},
{
"name": "https://github.com/open-webui/open-webui/commit/920b655f4689e2118de928fbc936f6ebd4fed396",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/920b655f4689e2118de928fbc936f6ebd4fed396"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-mvx4-532p-xfm9",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Scheduled automations continue after pending-user deactivation and stored model ACL revocation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59226",
"datePublished": "2026-07-09T16:06:55.927Z",
"dateReserved": "2026-07-02T21:05:02.925Z",
"dateUpdated": "2026-07-09T18:08:30.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59225 (GCVE-0-2026-59225)
Vulnerability from nvd – Published: 2026-07-09 17:12 – Updated: 2026-07-09 18:08
VLAI
EPSS
VEX
Title
Open WebUI: Arena task endpoints can bypass underlying model access controls
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The normal chat route resolves arena models before the final chat dispatch and therefore re-checks the selected underlying model. The task routes call utils.chat.generate_chat_completion() directly. In that direct path, arena fallback resolution happens after the wrapper access check and then recurses with bypass_filter=True, skipping the selected submodel's access check. This issue is fixed in version 0.10.0.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/26046 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/d… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
>= 0.8.12, < 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59225",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:50:11.589065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T18:08:12.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.8.12, \u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The normal chat route resolves arena models before the final chat dispatch and therefore re-checks the selected underlying model. The task routes call utils.chat.generate_chat_completion() directly. In that direct path, arena fallback resolution happens after the wrapper access check and then recurses with bypass_filter=True, skipping the selected submodel\u0027s access check. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:12:14.141Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-m3qf-58wf-w979",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-m3qf-58wf-w979"
},
{
"name": "https://github.com/open-webui/open-webui/pull/26046",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/26046"
},
{
"name": "https://github.com/open-webui/open-webui/commit/dc4924b66e655b315e3be4430a3e51b7d5c20acc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/dc4924b66e655b315e3be4430a3e51b7d5c20acc"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-m3qf-58wf-w979",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Arena task endpoints can bypass underlying model access controls"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59225",
"datePublished": "2026-07-09T17:12:14.141Z",
"dateReserved": "2026-07-02T21:05:02.925Z",
"dateUpdated": "2026-07-09T18:08:12.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59224 (GCVE-0-2026-59224)
Vulnerability from nvd – Published: 2026-07-09 17:09 – Updated: 2026-07-10 03:55
VLAI
EPSS
VEX
Title
Open WebUI: Terminal proxy forwards a spoofable, integrity-unbound user identity to the upstream (X-User-Id header and ws_terminal session_id query injection)
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query parameter, allowing query injection to make the terminal backend resolve another user identity; the HTTP proxy path also forwarded X-User-Id as an integrity-unbound identity claim. This issue is fixed in version 0.10.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/26042 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/5… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59224",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T03:55:48.312Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query parameter, allowing query injection to make the terminal backend resolve another user identity; the HTTP proxy path also forwarded X-User-Id as an integrity-unbound identity claim. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:09:31.980Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-j657-m4c4-24jq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-j657-m4c4-24jq"
},
{
"name": "https://github.com/open-webui/open-webui/pull/26042",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/26042"
},
{
"name": "https://github.com/open-webui/open-webui/commit/5f3a628a8d291bb5d33e1a0b0c89fb62a2927934",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/5f3a628a8d291bb5d33e1a0b0c89fb62a2927934"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-j657-m4c4-24jq",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Terminal proxy forwards a spoofable, integrity-unbound user identity to the upstream (X-User-Id header and ws_terminal session_id query injection)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59224",
"datePublished": "2026-07-09T17:09:31.980Z",
"dateReserved": "2026-07-02T21:05:02.925Z",
"dateUpdated": "2026-07-10T03:55:48.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59223 (GCVE-0-2026-59223)
Vulnerability from nvd – Published: 2026-07-09 17:00 – Updated: 2026-07-09 17:53
VLAI
EPSS
VEX
Title
Open WebUI: `WEB_FETCH_FILTER_LIST` host allow/block filter bypassable via URL path and non-label-boundary matching
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, WEB_FETCH_FILTER_LIST matching compared configured host entries against URL strings and non-label-boundary suffixes, allowing path-based blocklist bypasses such as !internal.example.com in a URL path and sibling-domain matches that did not reflect the intended hostname policy. This issue is fixed in version 0.10.0.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/25949 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/0… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59223",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:52:51.423655Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:53:06.003Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, WEB_FETCH_FILTER_LIST matching compared configured host entries against URL strings and non-label-boundary suffixes, allowing path-based blocklist bypasses such as !internal.example.com in a URL path and sibling-domain matches that did not reflect the intended hostname policy. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:00:08.976Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-qg3f-8x3j-ggf2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-qg3f-8x3j-ggf2"
},
{
"name": "https://github.com/open-webui/open-webui/pull/25949",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/25949"
},
{
"name": "https://github.com/open-webui/open-webui/commit/087878ce848a4d828012068b5997dac480f43656",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/087878ce848a4d828012068b5997dac480f43656"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-qg3f-8x3j-ggf2",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: `WEB_FETCH_FILTER_LIST` host allow/block filter bypassable via URL path and non-label-boundary matching"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59223",
"datePublished": "2026-07-09T17:00:08.976Z",
"dateReserved": "2026-07-02T21:05:02.925Z",
"dateUpdated": "2026-07-09T17:53:06.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59222 (GCVE-0-2026-59222)
Vulnerability from nvd – Published: 2026-07-09 16:59 – Updated: 2026-07-09 17:29
VLAI
EPSS
VEX
Title
Open WebUI: /api/v1/channels/{id}/members exposes full user model including sensitive credentials
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers[].key and webhook configuration, allowing a normal channel participant to retrieve other users’ sensitive settings. This issue is fixed in version 0.10.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/commit/f… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
>= 0.7.0, < 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59222",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:29:10.232667Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:29:39.729Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gh7p-78x6-jw6m"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.7.0, \u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers[].key and webhook configuration, allowing a normal channel participant to retrieve other users\u2019 sensitive settings. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:59:10.208Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gh7p-78x6-jw6m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gh7p-78x6-jw6m"
},
{
"name": "https://github.com/open-webui/open-webui/commit/fbcdcf146b99b5002705060a8243eee769108f9e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/fbcdcf146b99b5002705060a8243eee769108f9e"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-gh7p-78x6-jw6m",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: /api/v1/channels/{id}/members exposes full user model including sensitive credentials"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59222",
"datePublished": "2026-07-09T16:59:10.208Z",
"dateReserved": "2026-07-02T21:05:02.925Z",
"dateUpdated": "2026-07-09T17:29:39.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59220 (GCVE-0-2026-59220)
Vulnerability from nvd – Published: 2026-07-09 16:09 – Updated: 2026-07-09 18:45
VLAI
EPSS
VEX
Title
Open WebUI: ReDoS in skill-mention regexes causes whole-instance DoS on default config
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.2 before 0.10.0, the SKILL_MENTION_RE and strip_re regular expressions in backend/open_webui/utils/middleware.py parsed <$skillId|label> skill mentions with overlapping quantifiers, allowing an authenticated chat message containing <$ without a closing > to trigger quadratic backtracking and block the asyncio event loop. This issue is fixed in version 0.10.0.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/commit/6… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
>= 0.9.2, < 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59220",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T18:44:56.824119Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T18:45:06.768Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-ffpj-xv5c-p3gw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.9.2, \u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.2 before 0.10.0, the SKILL_MENTION_RE and strip_re regular expressions in backend/open_webui/utils/middleware.py parsed \u003c$skillId|label\u003e skill mentions with overlapping quantifiers, allowing an authenticated chat message containing \u003c$ without a closing \u003e to trigger quadratic backtracking and block the asyncio event loop. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:09:41.127Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-ffpj-xv5c-p3gw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-ffpj-xv5c-p3gw"
},
{
"name": "https://github.com/open-webui/open-webui/commit/61a26722155ec6ee1b629cf8dfcf975098c18331",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/61a26722155ec6ee1b629cf8dfcf975098c18331"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-ffpj-xv5c-p3gw",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: ReDoS in skill-mention regexes causes whole-instance DoS on default config"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59220",
"datePublished": "2026-07-09T16:09:41.127Z",
"dateReserved": "2026-07-02T21:05:02.925Z",
"dateUpdated": "2026-07-09T18:45:06.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59219 (GCVE-0-2026-59219)
Vulnerability from nvd – Published: 2026-07-09 16:43 – Updated: 2026-07-09 17:30
VLAI
EPSS
VEX
Title
Open WebUI: Realtime endpoints accept Redis-revoked JWTs after signout/backchannel logout
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0 with Redis configured, Socket.IO connect, user-join, join-channels, join-note, and the terminal websocket first-message authentication used decode_token without the Redis-backed is_valid_token revocation check, allowing revoked JWTs to continue authenticating realtime connections. This issue is fixed in version 0.10.0.
Severity
7.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/commit/3… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
>= 0.9.0, < 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59219",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:30:33.951998Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:30:39.130Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-855v-hq7w-jmjw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.9.0, \u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0 with Redis configured, Socket.IO connect, user-join, join-channels, join-note, and the terminal websocket first-message authentication used decode_token without the Redis-backed is_valid_token revocation check, allowing revoked JWTs to continue authenticating realtime connections. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:43:24.542Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-855v-hq7w-jmjw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-855v-hq7w-jmjw"
},
{
"name": "https://github.com/open-webui/open-webui/commit/33b91bd8ae8a100a5a306c91441a7d0b422c4cde",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/33b91bd8ae8a100a5a306c91441a7d0b422c4cde"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-855v-hq7w-jmjw",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Realtime endpoints accept Redis-revoked JWTs after signout/backchannel logout"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59219",
"datePublished": "2026-07-09T16:43:24.542Z",
"dateReserved": "2026-07-02T21:05:02.925Z",
"dateUpdated": "2026-07-09T17:30:39.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59218 (GCVE-0-2026-59218)
Vulnerability from nvd – Published: 2026-07-09 15:53 – Updated: 2026-07-09 17:50
VLAI
EPSS
VEX
Title
Open WebUI: Account enumeration via observable login timing discrepancy
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the /api/v1/auths/signin endpoint looked users up by email and only ran bcrypt password verification when a credential existed, making registered-account attempts measurably slower than missing-email attempts and allowing unauthenticated account enumeration. This issue is fixed in version 0.10.0.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/26385 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/9… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59218",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:50:34.890081Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:50:41.900Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the /api/v1/auths/signin endpoint looked users up by email and only ran bcrypt password verification when a credential existed, making registered-account attempts measurably slower than missing-email attempts and allowing unauthenticated account enumeration. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:53:54.653Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-7rw5-9f7q-xj36",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-7rw5-9f7q-xj36"
},
{
"name": "https://github.com/open-webui/open-webui/pull/26385",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/26385"
},
{
"name": "https://github.com/open-webui/open-webui/commit/993e74912199c66c522f08ec81abe31d76985e39",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/993e74912199c66c522f08ec81abe31d76985e39"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-7rw5-9f7q-xj36",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Account enumeration via observable login timing discrepancy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59218",
"datePublished": "2026-07-09T15:53:54.653Z",
"dateReserved": "2026-07-02T21:05:02.924Z",
"dateUpdated": "2026-07-09T17:50:41.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59217 (GCVE-0-2026-59217)
Vulnerability from nvd – Published: 2026-07-09 16:51 – Updated: 2026-07-14 01:03
VLAI
EPSS
VEX
Title
Open WebUI: Upload `metadata.knowledge_id` bypasses the knowledge-base write-access check (read-only users can add files to KB)
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the file upload path accepted metadata.knowledge_id and auto-linked uploaded files to a target knowledge base without applying the write-access check used by /api/v1/knowledge//file/add, allowing read-only knowledge-base users to add arbitrary files. This issue is fixed in version 0.10.0.
Severity
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/26001 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/b… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59217",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T01:02:42.549293Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T01:03:10.558Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-7r7x-gjvr-448g"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the file upload path accepted metadata.knowledge_id and auto-linked uploaded files to a target knowledge base without applying the write-access check used by /api/v1/knowledge//file/add, allowing read-only knowledge-base users to add arbitrary files. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:51:32.637Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-7r7x-gjvr-448g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-7r7x-gjvr-448g"
},
{
"name": "https://github.com/open-webui/open-webui/pull/26001",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/26001"
},
{
"name": "https://github.com/open-webui/open-webui/commit/b7626f05fb92b24ab923ad81a037071ebd5623d1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/b7626f05fb92b24ab923ad81a037071ebd5623d1"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-7r7x-gjvr-448g",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Upload `metadata.knowledge_id` bypasses the knowledge-base write-access check (read-only users can add files to KB)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59217",
"datePublished": "2026-07-09T16:51:32.637Z",
"dateReserved": "2026-07-02T21:05:02.924Z",
"dateUpdated": "2026-07-14T01:03:10.558Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59216 (GCVE-0-2026-59216)
Vulnerability from nvd – Published: 2026-07-09 16:48 – Updated: 2026-07-10 03:55
VLAI
EPSS
VEX
Title
Open WebUI: Cross-user code-interpreter and tool execution via unvalidated Socket.IO event-caller session_id
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, get_event_call delivered execute:python and execute:tool Socket.IO events to a client-supplied session_id after checking only that the session was connected, allowing authenticated users who learned another socket ID through ydoc:document:join to run code interpreter Python or tools in that user session. This issue is fixed in version 0.10.0.
Severity
7.7 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/25763 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/3… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59216",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T03:55:47.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-74h3-cxq7-vc5q"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, get_event_call delivered execute:python and execute:tool Socket.IO events to a client-supplied session_id after checking only that the session was connected, allowing authenticated users who learned another socket ID through ydoc:document:join to run code interpreter Python or tools in that user session. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:48:55.663Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-74h3-cxq7-vc5q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-74h3-cxq7-vc5q"
},
{
"name": "https://github.com/open-webui/open-webui/pull/25763",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/25763"
},
{
"name": "https://github.com/open-webui/open-webui/commit/386ac958144dbbbf0aa6e268070d72b681a318aa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/386ac958144dbbbf0aa6e268070d72b681a318aa"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-74h3-cxq7-vc5q",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Cross-user code-interpreter and tool execution via unvalidated Socket.IO event-caller session_id"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59216",
"datePublished": "2026-07-09T16:48:55.663Z",
"dateReserved": "2026-07-02T21:05:02.924Z",
"dateUpdated": "2026-07-10T03:55:47.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59215 (GCVE-0-2026-59215)
Vulnerability from nvd – Published: 2026-07-09 16:57 – Updated: 2026-07-09 18:40
VLAI
EPSS
VEX
Title
Open WebUI: Private channel messages can be disclosed through cross-channel thread parent_id binding
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, channel thread parent and reply handling did not bind parent_id to the channel in the URL, allowing an authenticated user to reference a message from another private or DM channel and disclose thread context across channels. This issue is fixed in version 0.10.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/25766 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/a… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59215",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T18:39:54.646732Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T18:40:04.871Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-73x5-h92w-xc2j"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, channel thread parent and reply handling did not bind parent_id to the channel in the URL, allowing an authenticated user to reference a message from another private or DM channel and disclose thread context across channels. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:57:24.325Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-73x5-h92w-xc2j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-73x5-h92w-xc2j"
},
{
"name": "https://github.com/open-webui/open-webui/pull/25766",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/25766"
},
{
"name": "https://github.com/open-webui/open-webui/commit/a66477b7104c5d141ce7bffaea424b43e7666ef1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/a66477b7104c5d141ce7bffaea424b43e7666ef1"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-73x5-h92w-xc2j",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Private channel messages can be disclosed through cross-channel thread parent_id binding"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59215",
"datePublished": "2026-07-09T16:57:24.325Z",
"dateReserved": "2026-07-02T21:05:02.924Z",
"dateUpdated": "2026-07-09T18:40:04.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59214 (GCVE-0-2026-59214)
Vulnerability from nvd – Published: 2026-07-09 15:51 – Updated: 2026-07-09 17:13
VLAI
EPSS
VEX
Title
Open WebUI: Stored web worker XSS via Pyodide
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, Open WebUI runs client-side Python with Pyodide in a same-origin web worker, allowing stored chat payloads that use pyodide.http.pyfetch or the js module fetch and XMLHttpRequest APIs to issue authenticated same-origin requests when a victim clicks Run, which can reach admin-only endpoints and execute server-side code through configured tools. This issue is fixed in version 0.10.0.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59214",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:12:24.665545Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:13:10.879Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, Open WebUI runs client-side Python with Pyodide in a same-origin web worker, allowing stored chat payloads that use pyodide.http.pyfetch or the js module fetch and XMLHttpRequest APIs to issue authenticated same-origin requests when a victim clicks Run, which can reach admin-only endpoints and execute server-side code through configured tools. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:51:38.001Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4r2p-27mh-5m22",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4r2p-27mh-5m22"
}
],
"source": {
"advisory": "GHSA-4r2p-27mh-5m22",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Stored web worker XSS via Pyodide"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59214",
"datePublished": "2026-07-09T15:51:38.001Z",
"dateReserved": "2026-07-02T21:05:02.924Z",
"dateUpdated": "2026-07-09T17:13:10.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59213 (GCVE-0-2026-59213)
Vulnerability from nvd – Published: 2026-07-09 16:55 – Updated: 2026-07-09 17:52
VLAI
EPSS
VEX
Title
Open WebUI: Cross-user model-list exposure via static cache key in get_all_models (aiocache key= vs key_builder= misuse)
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, get_all_models handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of key_builder, causing permission-filtered per-user model lists to share a static cache entry and exposing one user’s model list to another caller during the TTL window. This issue is fixed in version 0.10.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-524 - Use of Cache Containing Sensitive Information
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/25783 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/0… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
>= 0.6.27, < 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59213",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:52:02.458867Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:52:21.479Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3wp3-xxj9-5jqq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.6.27, \u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, get_all_models handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of key_builder, causing permission-filtered per-user model lists to share a static cache entry and exposing one user\u2019s model list to another caller during the TTL window. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-524",
"description": "CWE-524: Use of Cache Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:55:00.032Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3wp3-xxj9-5jqq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3wp3-xxj9-5jqq"
},
{
"name": "https://github.com/open-webui/open-webui/pull/25783",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/25783"
},
{
"name": "https://github.com/open-webui/open-webui/commit/0fc630b34b2899599dabffffa012afd47599aa75",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/0fc630b34b2899599dabffffa012afd47599aa75"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-3wp3-xxj9-5jqq",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Cross-user model-list exposure via static cache key in get_all_models (aiocache key= vs key_builder= misuse)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59213",
"datePublished": "2026-07-09T16:55:00.032Z",
"dateReserved": "2026-07-02T21:05:02.924Z",
"dateUpdated": "2026-07-09T17:52:21.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59212 (GCVE-0-2026-59212)
Vulnerability from nvd – Published: 2026-07-09 17:04 – Updated: 2026-07-09 17:21
VLAI
EPSS
VEX
Title
Open WebUI: Model meta.knowledge read-only file access can be upgraded to file write/delete
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _verify_knowledge_file_access only checked read access while file write and delete routes later trusted object-derived access through writable model meta.knowledge entries, allowing a user with read-only knowledge file access to upgrade to file write or delete operations. This issue is fixed in version 0.10.0.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/26032 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/1… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
>= 0.9.6, < 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59212",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:21:19.508648Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:21:32.128Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.9.6, \u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _verify_knowledge_file_access only checked read access while file write and delete routes later trusted object-derived access through writable model meta.knowledge entries, allowing a user with read-only knowledge file access to upgrade to file write or delete operations. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:04:43.488Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-2xwm-4h2q-ggfx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-2xwm-4h2q-ggfx"
},
{
"name": "https://github.com/open-webui/open-webui/pull/26032",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/26032"
},
{
"name": "https://github.com/open-webui/open-webui/commit/17df0264929514599dbcb21c6578bcdfa204b04d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/17df0264929514599dbcb21c6578bcdfa204b04d"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-2xwm-4h2q-ggfx",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Model meta.knowledge read-only file access can be upgraded to file write/delete"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59212",
"datePublished": "2026-07-09T17:04:43.488Z",
"dateReserved": "2026-07-02T21:05:02.924Z",
"dateUpdated": "2026-07-09T17:21:32.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-56400 (GCVE-0-2026-56400)
Vulnerability from cvelistv5 – Published: 2026-07-15 11:25 – Updated: 2026-07-15 11:25
VLAI
EPSS
VEX
Title
open-webui - Remote Code Execution via CORS Misconfiguration and Session Validation
Summary
open-webui before 0.3.14 contains a cross-origin resource sharing misconfiguration allowing arbitrary origins with allow_origins=* and authenticated requests to the /api/v1/functions endpoint. Attackers can execute arbitrary code on the openwebui instance by crafting malicious cross-site requests from attacker-controlled websites when an admin user visits them.
Severity
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | vendor-advisory |
| https://www.vulncheck.com/advisories/open-webui-r… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
0 , < 0.3.14
(semver)
Unaffected: 0.3.14 (semver) |
Date Public
2026-05-05 00:00
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:pypi/open-webui",
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"lessThan": "0.3.14",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "0.3.14",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2026-05-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "open-webui before 0.3.14 contains a cross-origin resource sharing misconfiguration allowing arbitrary origins with allow_origins=* and authenticated requests to the /api/v1/functions endpoint. Attackers can execute arbitrary code on the openwebui instance by crafting malicious cross-site requests from attacker-controlled websites when an admin user visits them."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T11:25:31.421Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-6xcp-7mpr-m7wm)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-6xcp-7mpr-m7wm"
},
{
"name": "VulnCheck Advisory: open-webui - Remote Code Execution via CORS Misconfiguration and Session Validation",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/open-webui-remote-code-execution-via-cors-misconfiguration-and-session-validation"
}
],
"title": "open-webui - Remote Code Execution via CORS Misconfiguration and Session Validation",
"x_generator": {
"engine": "vulncheck-endgame"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-56400",
"datePublished": "2026-07-15T11:25:31.421Z",
"dateReserved": "2026-06-21T12:37:58.435Z",
"dateUpdated": "2026-07-15T11:25:31.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-56398 (GCVE-0-2026-56398)
Vulnerability from cvelistv5 – Published: 2026-07-15 11:25 – Updated: 2026-07-15 13:25
VLAI
EPSS
VEX
Title
Open WebUI - Stored Cross-Site Scripting via OAuth Picture Claim SVG Data URI
Summary
Open WebUI before 0.9.5 contains a stored cross-site scripting vulnerability in the OAuth authentication flow where the picture claim URL MIME type is inferred from file extension rather than Content-Type header, allowing SVG files to bypass the profile image validator and be stored as data URIs. Authenticated users who visit the profile image endpoint receive attacker-controlled SVG content with inline disposition and no default security headers, enabling script execution in the same origin to steal authentication tokens and achieve account takeover.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | vendor-advisory |
| https://www.vulncheck.com/advisories/open-webui-s… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
0 , < 0.9.5
(semver)
Unaffected: 0.9.5 (semver) |
Date Public
2026-05-10 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-56398",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T13:20:08.460857Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T13:25:55.678Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:pypi/open-webui",
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"lessThan": "0.9.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "0.9.5",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.9.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "matte1782"
}
],
"datePublic": "2026-05-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Open WebUI before 0.9.5 contains a stored cross-site scripting vulnerability in the OAuth authentication flow where the picture claim URL MIME type is inferred from file extension rather than Content-Type header, allowing SVG files to bypass the profile image validator and be stored as data URIs. Authenticated users who visit the profile image endpoint receive attacker-controlled SVG content with inline disposition and no default security headers, enabling script execution in the same origin to steal authentication tokens and achieve account takeover."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T11:25:30.722Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-3wgj-c2hg-vm6q)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3wgj-c2hg-vm6q"
},
{
"name": "VulnCheck Advisory: Open WebUI - Stored Cross-Site Scripting via OAuth Picture Claim SVG Data URI",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/open-webui-stored-cross-site-scripting-via-oauth-picture-claim-svg-data-uri"
}
],
"title": "Open WebUI - Stored Cross-Site Scripting via OAuth Picture Claim SVG Data URI",
"x_generator": {
"engine": "vulncheck-endgame"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-56398",
"datePublished": "2026-07-15T11:25:30.722Z",
"dateReserved": "2026-06-21T12:37:58.435Z",
"dateUpdated": "2026-07-15T13:25:55.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59221 (GCVE-0-2026-59221)
Vulnerability from cvelistv5 – Published: 2026-07-09 17:13 – Updated: 2026-07-09 18:09
VLAI
EPSS
VEX
Title
open-webui terminal proxy path traversal guard bypass via 9x encoded traversal
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _sanitize_proxy_path in backend/open_webui/routers/terminals.py decoded proxy paths only eight times, allowing a nine-times percent-encoded ../ traversal value to pass normalization checks and be decoded by the upstream terminal server. This issue is fixed in version 0.10.0.
Severity
7.7 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/26050 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/0… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
>= 0.9.6, < 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59221",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T18:09:16.352793Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T18:09:19.712Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-frvj-c5qp-xj4w"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.9.6, \u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _sanitize_proxy_path in backend/open_webui/routers/terminals.py decoded proxy paths only eight times, allowing a nine-times percent-encoded ../ traversal value to pass normalization checks and be decoded by the upstream terminal server. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:13:36.193Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-frvj-c5qp-xj4w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-frvj-c5qp-xj4w"
},
{
"name": "https://github.com/open-webui/open-webui/pull/26050",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/26050"
},
{
"name": "https://github.com/open-webui/open-webui/commit/05098d25a58d03738e01c4e85e8852c3b4ad849c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/05098d25a58d03738e01c4e85e8852c3b4ad849c"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-frvj-c5qp-xj4w",
"discovery": "UNKNOWN"
},
"title": "open-webui terminal proxy path traversal guard bypass via 9x encoded traversal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59221",
"datePublished": "2026-07-09T17:13:36.193Z",
"dateReserved": "2026-07-02T21:05:02.925Z",
"dateUpdated": "2026-07-09T18:09:19.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59225 (GCVE-0-2026-59225)
Vulnerability from cvelistv5 – Published: 2026-07-09 17:12 – Updated: 2026-07-09 18:08
VLAI
EPSS
VEX
Title
Open WebUI: Arena task endpoints can bypass underlying model access controls
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The normal chat route resolves arena models before the final chat dispatch and therefore re-checks the selected underlying model. The task routes call utils.chat.generate_chat_completion() directly. In that direct path, arena fallback resolution happens after the wrapper access check and then recurses with bypass_filter=True, skipping the selected submodel's access check. This issue is fixed in version 0.10.0.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/26046 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/d… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
>= 0.8.12, < 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59225",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:50:11.589065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T18:08:12.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.8.12, \u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The normal chat route resolves arena models before the final chat dispatch and therefore re-checks the selected underlying model. The task routes call utils.chat.generate_chat_completion() directly. In that direct path, arena fallback resolution happens after the wrapper access check and then recurses with bypass_filter=True, skipping the selected submodel\u0027s access check. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:12:14.141Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-m3qf-58wf-w979",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-m3qf-58wf-w979"
},
{
"name": "https://github.com/open-webui/open-webui/pull/26046",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/26046"
},
{
"name": "https://github.com/open-webui/open-webui/commit/dc4924b66e655b315e3be4430a3e51b7d5c20acc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/dc4924b66e655b315e3be4430a3e51b7d5c20acc"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-m3qf-58wf-w979",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Arena task endpoints can bypass underlying model access controls"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59225",
"datePublished": "2026-07-09T17:12:14.141Z",
"dateReserved": "2026-07-02T21:05:02.925Z",
"dateUpdated": "2026-07-09T18:08:12.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59224 (GCVE-0-2026-59224)
Vulnerability from cvelistv5 – Published: 2026-07-09 17:09 – Updated: 2026-07-10 03:55
VLAI
EPSS
VEX
Title
Open WebUI: Terminal proxy forwards a spoofable, integrity-unbound user identity to the upstream (X-User-Id header and ws_terminal session_id query injection)
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query parameter, allowing query injection to make the terminal backend resolve another user identity; the HTTP proxy path also forwarded X-User-Id as an integrity-unbound identity claim. This issue is fixed in version 0.10.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/26042 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/5… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59224",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T03:55:48.312Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query parameter, allowing query injection to make the terminal backend resolve another user identity; the HTTP proxy path also forwarded X-User-Id as an integrity-unbound identity claim. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:09:31.980Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-j657-m4c4-24jq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-j657-m4c4-24jq"
},
{
"name": "https://github.com/open-webui/open-webui/pull/26042",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/26042"
},
{
"name": "https://github.com/open-webui/open-webui/commit/5f3a628a8d291bb5d33e1a0b0c89fb62a2927934",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/5f3a628a8d291bb5d33e1a0b0c89fb62a2927934"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-j657-m4c4-24jq",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Terminal proxy forwards a spoofable, integrity-unbound user identity to the upstream (X-User-Id header and ws_terminal session_id query injection)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59224",
"datePublished": "2026-07-09T17:09:31.980Z",
"dateReserved": "2026-07-02T21:05:02.925Z",
"dateUpdated": "2026-07-10T03:55:48.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59212 (GCVE-0-2026-59212)
Vulnerability from cvelistv5 – Published: 2026-07-09 17:04 – Updated: 2026-07-09 17:21
VLAI
EPSS
VEX
Title
Open WebUI: Model meta.knowledge read-only file access can be upgraded to file write/delete
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _verify_knowledge_file_access only checked read access while file write and delete routes later trusted object-derived access through writable model meta.knowledge entries, allowing a user with read-only knowledge file access to upgrade to file write or delete operations. This issue is fixed in version 0.10.0.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/26032 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/1… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
>= 0.9.6, < 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59212",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:21:19.508648Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:21:32.128Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.9.6, \u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _verify_knowledge_file_access only checked read access while file write and delete routes later trusted object-derived access through writable model meta.knowledge entries, allowing a user with read-only knowledge file access to upgrade to file write or delete operations. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:04:43.488Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-2xwm-4h2q-ggfx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-2xwm-4h2q-ggfx"
},
{
"name": "https://github.com/open-webui/open-webui/pull/26032",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/26032"
},
{
"name": "https://github.com/open-webui/open-webui/commit/17df0264929514599dbcb21c6578bcdfa204b04d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/17df0264929514599dbcb21c6578bcdfa204b04d"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-2xwm-4h2q-ggfx",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Model meta.knowledge read-only file access can be upgraded to file write/delete"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59212",
"datePublished": "2026-07-09T17:04:43.488Z",
"dateReserved": "2026-07-02T21:05:02.924Z",
"dateUpdated": "2026-07-09T17:21:32.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59223 (GCVE-0-2026-59223)
Vulnerability from cvelistv5 – Published: 2026-07-09 17:00 – Updated: 2026-07-09 17:53
VLAI
EPSS
VEX
Title
Open WebUI: `WEB_FETCH_FILTER_LIST` host allow/block filter bypassable via URL path and non-label-boundary matching
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, WEB_FETCH_FILTER_LIST matching compared configured host entries against URL strings and non-label-boundary suffixes, allowing path-based blocklist bypasses such as !internal.example.com in a URL path and sibling-domain matches that did not reflect the intended hostname policy. This issue is fixed in version 0.10.0.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/25949 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/0… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59223",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:52:51.423655Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:53:06.003Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, WEB_FETCH_FILTER_LIST matching compared configured host entries against URL strings and non-label-boundary suffixes, allowing path-based blocklist bypasses such as !internal.example.com in a URL path and sibling-domain matches that did not reflect the intended hostname policy. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:00:08.976Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-qg3f-8x3j-ggf2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-qg3f-8x3j-ggf2"
},
{
"name": "https://github.com/open-webui/open-webui/pull/25949",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/25949"
},
{
"name": "https://github.com/open-webui/open-webui/commit/087878ce848a4d828012068b5997dac480f43656",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/087878ce848a4d828012068b5997dac480f43656"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-qg3f-8x3j-ggf2",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: `WEB_FETCH_FILTER_LIST` host allow/block filter bypassable via URL path and non-label-boundary matching"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59223",
"datePublished": "2026-07-09T17:00:08.976Z",
"dateReserved": "2026-07-02T21:05:02.925Z",
"dateUpdated": "2026-07-09T17:53:06.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59222 (GCVE-0-2026-59222)
Vulnerability from cvelistv5 – Published: 2026-07-09 16:59 – Updated: 2026-07-09 17:29
VLAI
EPSS
VEX
Title
Open WebUI: /api/v1/channels/{id}/members exposes full user model including sensitive credentials
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers[].key and webhook configuration, allowing a normal channel participant to retrieve other users’ sensitive settings. This issue is fixed in version 0.10.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/commit/f… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
>= 0.7.0, < 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59222",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:29:10.232667Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:29:39.729Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gh7p-78x6-jw6m"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.7.0, \u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers[].key and webhook configuration, allowing a normal channel participant to retrieve other users\u2019 sensitive settings. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:59:10.208Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gh7p-78x6-jw6m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gh7p-78x6-jw6m"
},
{
"name": "https://github.com/open-webui/open-webui/commit/fbcdcf146b99b5002705060a8243eee769108f9e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/fbcdcf146b99b5002705060a8243eee769108f9e"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-gh7p-78x6-jw6m",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: /api/v1/channels/{id}/members exposes full user model including sensitive credentials"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59222",
"datePublished": "2026-07-09T16:59:10.208Z",
"dateReserved": "2026-07-02T21:05:02.925Z",
"dateUpdated": "2026-07-09T17:29:39.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59215 (GCVE-0-2026-59215)
Vulnerability from cvelistv5 – Published: 2026-07-09 16:57 – Updated: 2026-07-09 18:40
VLAI
EPSS
VEX
Title
Open WebUI: Private channel messages can be disclosed through cross-channel thread parent_id binding
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, channel thread parent and reply handling did not bind parent_id to the channel in the URL, allowing an authenticated user to reference a message from another private or DM channel and disclose thread context across channels. This issue is fixed in version 0.10.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/25766 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/a… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59215",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T18:39:54.646732Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T18:40:04.871Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-73x5-h92w-xc2j"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, channel thread parent and reply handling did not bind parent_id to the channel in the URL, allowing an authenticated user to reference a message from another private or DM channel and disclose thread context across channels. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:57:24.325Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-73x5-h92w-xc2j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-73x5-h92w-xc2j"
},
{
"name": "https://github.com/open-webui/open-webui/pull/25766",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/25766"
},
{
"name": "https://github.com/open-webui/open-webui/commit/a66477b7104c5d141ce7bffaea424b43e7666ef1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/a66477b7104c5d141ce7bffaea424b43e7666ef1"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-73x5-h92w-xc2j",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Private channel messages can be disclosed through cross-channel thread parent_id binding"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59215",
"datePublished": "2026-07-09T16:57:24.325Z",
"dateReserved": "2026-07-02T21:05:02.924Z",
"dateUpdated": "2026-07-09T18:40:04.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59213 (GCVE-0-2026-59213)
Vulnerability from cvelistv5 – Published: 2026-07-09 16:55 – Updated: 2026-07-09 17:52
VLAI
EPSS
VEX
Title
Open WebUI: Cross-user model-list exposure via static cache key in get_all_models (aiocache key= vs key_builder= misuse)
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, get_all_models handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of key_builder, causing permission-filtered per-user model lists to share a static cache entry and exposing one user’s model list to another caller during the TTL window. This issue is fixed in version 0.10.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-524 - Use of Cache Containing Sensitive Information
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/25783 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/0… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
>= 0.6.27, < 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59213",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:52:02.458867Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:52:21.479Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3wp3-xxj9-5jqq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.6.27, \u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, get_all_models handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of key_builder, causing permission-filtered per-user model lists to share a static cache entry and exposing one user\u2019s model list to another caller during the TTL window. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-524",
"description": "CWE-524: Use of Cache Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:55:00.032Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3wp3-xxj9-5jqq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3wp3-xxj9-5jqq"
},
{
"name": "https://github.com/open-webui/open-webui/pull/25783",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/25783"
},
{
"name": "https://github.com/open-webui/open-webui/commit/0fc630b34b2899599dabffffa012afd47599aa75",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/0fc630b34b2899599dabffffa012afd47599aa75"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-3wp3-xxj9-5jqq",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Cross-user model-list exposure via static cache key in get_all_models (aiocache key= vs key_builder= misuse)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59213",
"datePublished": "2026-07-09T16:55:00.032Z",
"dateReserved": "2026-07-02T21:05:02.924Z",
"dateUpdated": "2026-07-09T17:52:21.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59217 (GCVE-0-2026-59217)
Vulnerability from cvelistv5 – Published: 2026-07-09 16:51 – Updated: 2026-07-14 01:03
VLAI
EPSS
VEX
Title
Open WebUI: Upload `metadata.knowledge_id` bypasses the knowledge-base write-access check (read-only users can add files to KB)
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the file upload path accepted metadata.knowledge_id and auto-linked uploaded files to a target knowledge base without applying the write-access check used by /api/v1/knowledge//file/add, allowing read-only knowledge-base users to add arbitrary files. This issue is fixed in version 0.10.0.
Severity
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| https://github.com/open-webui/open-webui/pull/26001 | x_refsource_MISC |
| https://github.com/open-webui/open-webui/commit/b… | x_refsource_MISC |
| https://github.com/open-webui/open-webui/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59217",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T01:02:42.549293Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T01:03:10.558Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-7r7x-gjvr-448g"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the file upload path accepted metadata.knowledge_id and auto-linked uploaded files to a target knowledge base without applying the write-access check used by /api/v1/knowledge//file/add, allowing read-only knowledge-base users to add arbitrary files. This issue is fixed in version 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:51:32.637Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-7r7x-gjvr-448g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-7r7x-gjvr-448g"
},
{
"name": "https://github.com/open-webui/open-webui/pull/26001",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/pull/26001"
},
{
"name": "https://github.com/open-webui/open-webui/commit/b7626f05fb92b24ab923ad81a037071ebd5623d1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/b7626f05fb92b24ab923ad81a037071ebd5623d1"
},
{
"name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-7r7x-gjvr-448g",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Upload `metadata.knowledge_id` bypasses the knowledge-base write-access check (read-only users can add files to KB)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59217",
"datePublished": "2026-07-09T16:51:32.637Z",
"dateReserved": "2026-07-02T21:05:02.924Z",
"dateUpdated": "2026-07-14T01:03:10.558Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}