VYPR

PyPI package

open-webui

pkg:pypi/open-webui

Vulnerabilities (36)

  • CVE-2026-54022Jun 17, 2026
    affected < 0.8.11fixed 0.8.11

    ### Summary The `ydoc:document:join` Socket.IO handler checks note ownership only when the `document_id` starts with `note:` (colon). However, the `YdocManager` storage layer normalizes all document IDs by replacing colons with underscores (`document_id.replace(":", "_")`). An a

  • CVE-2026-54021Jun 17, 2026
    affected < 0.9.6fixed 0.9.6

    ## Summary Several direct, index-addressed Ollama proxy routes accept a caller-supplied `url_idx` path parameter and use it as a raw index into the admin-configured `OLLAMA_BASE_URLS` list. Access control on these routes validates only whether the user may use the requested *mod

  • CVE-2026-54019Jun 17, 2026
    affected < 0.9.6fixed 0.9.6

    # RAG ACL Bypass in Milvus Multitenancy Mode ## Summary This is a bypass of the fix for: - GHSA-h36f-rqpx-j5wx - CVE-2026-44560 - "Unauthorized File and Knowledge Base Content Access via RAG Vector Search" Open WebUI added collection-level ACL checks, but the patch can still

  • CVE-2026-54018higJun 17, 2026
    affected < 0.9.6fixed 0.9.6

    ### Summary The SafePlaywrightURLLoader implements a validate_url function to prevent SSRF attacks by checking the IP address of the user-provided URL. However, this validation is performed only on the initial URL. Since Playwright automatically follows HTTP redirects (301/302)

  • CVE-2026-54017higJun 17, 2026
    affected < 0.9.6fixed 0.9.6

    ### Summary The terminal-server reverse proxy in `backend/open_webui/routers/terminals.py` does not fully confine the user-controlled `path` segment before forwarding it to an admin-configured terminal server. An authenticated user who has been granted access to a terminal serve

  • CVE-2026-34222HigApr 1, 2026
    affected < 0.8.11fixed 0.8.11

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.11, there is a broken access control vulnerability in tool values. This issue has been patched in version 0.8.11.

  • CVE-2026-29071LowMar 27, 2026
    affected < 0.8.6fixed 0.8.6

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users' private memories via `/api/v1/retrieval/query/collection`. Version 0.8.6 patches the issue.

  • CVE-2026-29070MedMar 27, 2026
    affected < 0.8.6fixed 0.8.6

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge b

  • CVE-2026-28788HigMar 27, 2026
    affected < 0.8.6fixed 0.8.6

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file's content by ID through the `POST /api/v1/retrieval/process/files/batch` endpoint. The endpoint performs no own

  • CVE-2026-28786Mar 26, 2026
    affected < 0.8.6fixed 0.8.6

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an unsanitized filename field in the speech-to-text transcription endpoint allows any authenticated non-admin user to trigger a `FileNotFoundError` whose mes

  • CVE-2025-65958Dec 4, 2025
    affected < 0.6.37fixed 0.6.37

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can

  • CVE-2025-63681Dec 4, 2025
    affected <= 0.6.33

    open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks.

  • CVE-2025-64496Nov 8, 2025
    affected < 0.6.35fixed 0.6.35

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in v

  • CVE-2025-64495Nov 8, 2025
    affected < 0.6.35fixed 0.6.35

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. In versions 0.6.34 and below, the functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Prompt as Rich Text' is enabled, since the pro

  • CVE-2024-8060HigMar 20, 2025
    affected < 0.5.17fixed 0.5.17

    OpenWebUI version 0.3.0 contains a vulnerability in the audio API endpoint `/audio/api/v1/transcriptions` that allows for arbitrary file upload. The application performs insufficient validation on the `file.content_type` and allows user-controlled filenames, leading to a path tra

  • CVE-2024-7053Mar 20, 2025
    affected <= 0.3.8

    A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. The session cookie for all users is set with the default `SameSite=Lax` and does not have the `Secure` flag enabled, allowing the session cook

  • CVE-2024-8053Mar 20, 2025
    affected <= 0.3.10

    In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing unauthenticated attackers to access the PDF generation service. This vulnerability can be exploited by sending a POST request with an excessively large payload,

  • CVE-2024-7806Mar 20, 2025
    affected < 0.3.33fixed 0.3.33

    A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker

  • CVE-2024-7039Mar 20, 2025
    affected <= 0.3.8

    In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint `http://0.0.0.0:8080/api/v1/users/{uuid_administrator}`. This action is re

  • CVE-2024-12534Mar 20, 2025
    affected <= 0.3.32

    In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during the sign-in process due to the lack of character length validation on these inputs. This vulnerability can lead to a Denial of Service (DoS)

Page 1 of 2