VYPR
Medium severity5.4GHSA Advisory· Published May 15, 2026· Updated May 19, 2026

CVE-2026-45365

CVE-2026-45365

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, an internal-only bypass_filter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via FastAPI query string binding, allowing any authenticated user to append ?bypass_filter=true and bypass model access control checks to invoke admin-restricted models. This vulnerability is fixed in 0.8.11.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
open-webuiPyPI
< 0.8.110.8.11

Affected products

2
  • Openwebui/Open WebuiGHSA2 versions
    <= 0.8.10+ 1 more
    • (no CPE)range: <= 0.8.10
    • cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*range: <0.8.11

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.