VYPR

Open Webui

by Openwebui

Source repositories

CVEs (122)

  • CVE-2026-54012higJun 17, 2026
    risk 0.45cvss epss 0.00

    ## Summary Open WebUI lets a user who can create, update, or import workspace models store arbitrary `meta.knowledge` entries on their model without checking whether they own or can read the referenced files. Open WebUI then treats `meta.knowledge` entries of type `file` as an…

  • CVE-2026-54011higJun 17, 2026
    risk 0.45cvss epss 0.00

    ## Summary Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using `innerHTML`. Because Mermaid is configured with `securityLevel: 'loose'`, attacker-controlled Mermaid content can be rendered unsafely in…

  • CVE-2026-54007higJun 17, 2026
    risk 0.45cvss epss 0.00

    ### Summary The chat message listener allows non-same-origin `input:prompt` and `action:submit` messages, so an external site can set prompt text and trigger `submitPrompt()` in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted…

  • CVE-2026-45671HigMay 15, 2026
    risk 0.45cvss 8.0epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/{id} when the target file is referenced in any shared chat. The…

  • CVE-2026-45303HigMay 15, 2026
    risk 0.43cvss 7.7epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content…

  • CVE-2026-34222HigApr 1, 2026
    risk 0.43cvss 7.7epss 0.05

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.11, there is a broken access control vulnerability in tool values. This issue has been patched in version 0.8.11.

  • CVE-2026-45398HigMay 15, 2026
    risk 0.42cvss 7.5epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, _validate_collection_access() checks the user-memory-* and file-* collection name prefixes but does not check knowledge base collections, which use raw UUIDs as…

  • CVE-2026-44555HigMay 15, 2026
    risk 0.42cvss 7.6epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI supports model composition via base_model_id: a user-defined model (e.g., "Cheap Assistant") can reference an existing base model (e.g.,…

  • CVE-2026-44567HigMay 15, 2026
    risk 0.40cvss 7.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the…

  • CVE-2026-44566HigMay 15, 2026
    risk 0.40cvss 7.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, when attaching files to a promp, the name of the file is derived from the original HTTP upload request and is not validated or sanitized. This allows for users to…

  • CVE-2026-45395HigMay 15, 2026
    risk 0.40cvss 7.2epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the tool update endpoint (POST /api/v1/tools/id/{id}/update) is missing the workspace.tools permission check that is present on the tool create endpoint. This…

  • CVE-2026-45350HigMay 15, 2026
    risk 0.39cvss 7.1epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, there is a vulnerability in chat completion API, which allows attackers to bypass tool restrictions, potentially enabling unauthorized actions or access. In the…

  • CVE-2026-44569HigMay 15, 2026
    risk 0.39cvss 7.1epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, there's an IDOR in the channels message management system that allows authenticated users to modify or delete any message within channels they have read access to.…

  • CVE-2026-45399HigMay 15, 2026
    risk 0.39cvss 7.1epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can enumerate active background tasks across the system and stop tasks belonging to other users via the GET /api/tasks…

  • CVE-2026-45349HigMay 15, 2026
    risk 0.39cvss 7.1epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a user just needs to use the API endpoint: /api/chat/completions with their own API key (generated in OWUI) and the Chat ID of another user to continue the…

  • CVE-2026-44556HigMay 15, 2026
    risk 0.39cvss 7.1epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /responses endpoint in the OpenAI router accepts any authenticated user and forwards requests directly to upstream LLM providers without enforcing per-model…

  • CVE-2026-28788HigMar 27, 2026
    risk 0.39cvss 7.1epss 0.03

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file's content by ID through the `POST /api/v1/retrieval/process/files/batch` endpoint. The endpoint performs no…

  • CVE-2026-54017higJun 17, 2026
    risk 0.38cvss epss 0.00

    ### Summary The terminal-server reverse proxy in `backend/open_webui/routers/terminals.py` does not fully confine the user-controlled `path` segment before forwarding it to an admin-configured terminal server. An authenticated user who has been granted access to a terminal…

  • CVE-2026-54013higJun 17, 2026
    risk 0.38cvss epss 0.00

    # Stored XSS to Account Takeover via Model Profile Images in Open WebUI **Affected:** Open WebUI <= 0.9.5 **Bypass of:** GHSA-3wgj-c2hg-vm6q, GHSA-3856-3vxq-m6fc --- ## TL;DR Open WebUI patched SVG XSS in user profile images and webhook profile images but forgot to apply…

  • CVE-2026-54010higJun 17, 2026
    risk 0.38cvss epss 0.00

    ## Summary Open WebUI `v0.9.5` lets an authenticated user attach arbitrary `file_id` values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, `has_access_to_file()`…

Page 2 of 7