Open Webui
by Openwebui
Source repositories
CVEs (122)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-44558 | Med | 0.28 | 5.4 | 0.00 | May 15, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the channel router does not call filter_allowed_access_grants on either create or update paths. A non-admin user who can create group channels (or who owns a… | ||
| CVE-2026-34225 | Med | 0.28 | 4.3 | 0.00 | Apr 14, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.7.2 and below contain a Blind Server Side Request Forgery in the functionality that allows editing an image via a prompt. The affected function performs a GET request to… | ||
| CVE-2026-29070 | Med | 0.28 | 5.4 | 0.00 | Mar 27, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge… | ||
| CVE-2026-44550 | Med | 0.26 | 5.0 | 0.00 | May 15, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, FolderForm uses model_config = ConfigDict(extra='allow'), which permits arbitrary fields to pass through Pydantic validation and be included in… | ||
| CVE-2025-15603 | Low | 0.24 | 3.7 | 0.00 | Mar 9, 2026 | A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/start_windows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUI_SECRET_KEY leads to insufficiently random values. It is possible… | ||
| CVE-2026-45317 | Med | 0.23 | 4.6 | 0.00 | May 15, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a… | ||
| CVE-2026-45347 | Med | 0.21 | 4.3 | 0.00 | May 15, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.11, there is a blind server side request forgery (SSRF) via the PDF generate function. In the PDF export, user inputs are interpreted as HTML and embedded into the… | ||
| CVE-2026-45387 | Med | 0.21 | 4.3 | 0.00 | May 15, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, when setting model permissions so that a group has read access to it, intending for other users to use it, those users also can read the model's system prompt.… | ||
| CVE-2026-45386 | Med | 0.21 | 4.3 | 0.00 | May 15, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, Pin/Unpin is a write operation (modifies the message's is_pinned , pinned_by, pinned_at fields), but in standard channels it only checks read permission, allowing… | ||
| CVE-2026-45385 | Med | 0.21 | 4.3 | 0.00 | May 15, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, an IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members (including administrators)… | ||
| CVE-2026-44559 | Med | 0.21 | 4.3 | 0.00 | May 15, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the GET /api/v1/channels/{id}/members endpoint only checks membership for group and dm channel types (lines 467-469). For standard channels — including private… | ||
| CVE-2026-44557 | Med | 0.21 | 4.3 | 0.00 | May 15, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the _validate_collection_access function uses an incomplete allowlist that only enforces ownership checks for collections matching user-memory-* and file-*… | ||
| CVE-2026-45316 | Low | 0.16 | 3.5 | 0.00 | May 15, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the POST /api/v1/notes/{id}/pin endpoint performs a write operation (toggling the is_pinned field) but only checks for read permission. Users with read-only access… | ||
| CVE-2026-29071 | Low | 0.13 | 3.1 | 0.00 | Mar 27, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users' private memories via `/api/v1/retrieval/query/collection`. Version 0.8.6 patches the issue. | ||
| CVE-2024-7034 | 0.01 | — | 0.02 | Mar 20, 2025 | In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handling of user-supplied filenames. The vulnerability arises from the usage of `file_path = f"{UPLOAD_DIR}/{file.filename}"` without proper input validation or… | |||
| CVE-2026-54022 | 0.00 | — | 0.00 | Jun 17, 2026 | ### Summary The `ydoc:document:join` Socket.IO handler checks note ownership only when the `document_id` starts with `note:` (colon). However, the `YdocManager` storage layer normalizes all document IDs by replacing colons with underscores (`document_id.replace(":", "_")`). An… | |||
| CVE-2026-54021 | 0.00 | — | 0.00 | Jun 17, 2026 | ## Summary Several direct, index-addressed Ollama proxy routes accept a caller-supplied `url_idx` path parameter and use it as a raw index into the admin-configured `OLLAMA_BASE_URLS` list. Access control on these routes validates only whether the user may use the requested… | |||
| CVE-2026-54019 | 0.00 | — | 0.00 | Jun 17, 2026 | # RAG ACL Bypass in Milvus Multitenancy Mode ## Summary This is a bypass of the fix for: - GHSA-h36f-rqpx-j5wx - CVE-2026-44560 - "Unauthorized File and Knowledge Base Content Access via RAG Vector Search" Open WebUI added collection-level ACL checks, but the patch can still… | |||
| CVE-2026-54016 | 0.00 | — | 0.00 | Jun 17, 2026 | ## Summary Open WebUI has a Broken Object Level Authorization (BOLA) vulnerability in the builtin `search_knowledge_files` tool. When native function calling is enabled and the selected model has no attached knowledge bases, an authenticated user can call… | |||
| CVE-2026-54015 | 0.00 | — | 0.00 | Jun 17, 2026 | ## Summary Open WebUI's prompt version-history endpoints authorize the `prompt_id` in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt (`history_entry.prompt_id == prompt.id`). Three operations are affected: -… |
- risk 0.28cvss 5.4epss 0.00
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the channel router does not call filter_allowed_access_grants on either create or update paths. A non-admin user who can create group channels (or who owns a…
- risk 0.28cvss 4.3epss 0.00
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.7.2 and below contain a Blind Server Side Request Forgery in the functionality that allows editing an image via a prompt. The affected function performs a GET request to…
- risk 0.28cvss 5.4epss 0.00
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge…
- risk 0.26cvss 5.0epss 0.00
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, FolderForm uses model_config = ConfigDict(extra='allow'), which permits arbitrary fields to pass through Pydantic validation and be included in…
- risk 0.24cvss 3.7epss 0.00
A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/start_windows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUI_SECRET_KEY leads to insufficiently random values. It is possible…
- risk 0.23cvss 4.6epss 0.00
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a…
- risk 0.21cvss 4.3epss 0.00
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.11, there is a blind server side request forgery (SSRF) via the PDF generate function. In the PDF export, user inputs are interpreted as HTML and embedded into the…
- risk 0.21cvss 4.3epss 0.00
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, when setting model permissions so that a group has read access to it, intending for other users to use it, those users also can read the model's system prompt.…
- risk 0.21cvss 4.3epss 0.00
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, Pin/Unpin is a write operation (modifies the message's is_pinned , pinned_by, pinned_at fields), but in standard channels it only checks read permission, allowing…
- risk 0.21cvss 4.3epss 0.00
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, an IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members (including administrators)…
- risk 0.21cvss 4.3epss 0.00
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the GET /api/v1/channels/{id}/members endpoint only checks membership for group and dm channel types (lines 467-469). For standard channels — including private…
- risk 0.21cvss 4.3epss 0.00
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the _validate_collection_access function uses an incomplete allowlist that only enforces ownership checks for collections matching user-memory-* and file-*…
- risk 0.16cvss 3.5epss 0.00
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the POST /api/v1/notes/{id}/pin endpoint performs a write operation (toggling the is_pinned field) but only checks for read permission. Users with read-only access…
- risk 0.13cvss 3.1epss 0.00
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users' private memories via `/api/v1/retrieval/query/collection`. Version 0.8.6 patches the issue.
- CVE-2024-7034Mar 20, 2025risk 0.01cvss —epss 0.02
In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handling of user-supplied filenames. The vulnerability arises from the usage of `file_path = f"{UPLOAD_DIR}/{file.filename}"` without proper input validation or…
- CVE-2026-54022Jun 17, 2026risk 0.00cvss —epss 0.00
### Summary The `ydoc:document:join` Socket.IO handler checks note ownership only when the `document_id` starts with `note:` (colon). However, the `YdocManager` storage layer normalizes all document IDs by replacing colons with underscores (`document_id.replace(":", "_")`). An…
- CVE-2026-54021Jun 17, 2026risk 0.00cvss —epss 0.00
## Summary Several direct, index-addressed Ollama proxy routes accept a caller-supplied `url_idx` path parameter and use it as a raw index into the admin-configured `OLLAMA_BASE_URLS` list. Access control on these routes validates only whether the user may use the requested…
- CVE-2026-54019Jun 17, 2026risk 0.00cvss —epss 0.00
# RAG ACL Bypass in Milvus Multitenancy Mode ## Summary This is a bypass of the fix for: - GHSA-h36f-rqpx-j5wx - CVE-2026-44560 - "Unauthorized File and Knowledge Base Content Access via RAG Vector Search" Open WebUI added collection-level ACL checks, but the patch can still…
- CVE-2026-54016Jun 17, 2026risk 0.00cvss —epss 0.00
## Summary Open WebUI has a Broken Object Level Authorization (BOLA) vulnerability in the builtin `search_knowledge_files` tool. When native function calling is enabled and the selected model has no attached knowledge bases, an authenticated user can call…
- CVE-2026-54015Jun 17, 2026risk 0.00cvss —epss 0.00
## Summary Open WebUI's prompt version-history endpoints authorize the `prompt_id` in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt (`history_entry.prompt_id == prompt.id`). Three operations are affected: -…
Page 4 of 7