VYPR

Open Webui

by Openwebui

Source repositories

CVEs (122)

  • CVE-2026-44558MedMay 15, 2026
    risk 0.28cvss 5.4epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the channel router does not call filter_allowed_access_grants on either create or update paths. A non-admin user who can create group channels (or who owns a…

  • CVE-2026-34225MedApr 14, 2026
    risk 0.28cvss 4.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.7.2 and below contain a Blind Server Side Request Forgery in the functionality that allows editing an image via a prompt. The affected function performs a GET request to…

  • CVE-2026-29070MedMar 27, 2026
    risk 0.28cvss 5.4epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge…

  • CVE-2026-44550MedMay 15, 2026
    risk 0.26cvss 5.0epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, FolderForm uses model_config = ConfigDict(extra='allow'), which permits arbitrary fields to pass through Pydantic validation and be included in…

  • CVE-2025-15603LowMar 9, 2026
    risk 0.24cvss 3.7epss 0.00

    A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/start_windows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUI_SECRET_KEY leads to insufficiently random values. It is possible…

  • CVE-2026-45317MedMay 15, 2026
    risk 0.23cvss 4.6epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a…

  • CVE-2026-45347MedMay 15, 2026
    risk 0.21cvss 4.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.11, there is a blind server side request forgery (SSRF) via the PDF generate function. In the PDF export, user inputs are interpreted as HTML and embedded into the…

  • CVE-2026-45387MedMay 15, 2026
    risk 0.21cvss 4.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, when setting model permissions so that a group has read access to it, intending for other users to use it, those users also can read the model's system prompt.…

  • CVE-2026-45386MedMay 15, 2026
    risk 0.21cvss 4.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, Pin/Unpin is a write operation (modifies the message's is_pinned , pinned_by, pinned_at fields), but in standard channels it only checks read permission, allowing…

  • CVE-2026-45385MedMay 15, 2026
    risk 0.21cvss 4.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, an IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members (including administrators)…

  • CVE-2026-44559MedMay 15, 2026
    risk 0.21cvss 4.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the GET /api/v1/channels/{id}/members endpoint only checks membership for group and dm channel types (lines 467-469). For standard channels — including private…

  • CVE-2026-44557MedMay 15, 2026
    risk 0.21cvss 4.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the _validate_collection_access function uses an incomplete allowlist that only enforces ownership checks for collections matching user-memory-* and file-*…

  • CVE-2026-45316LowMay 15, 2026
    risk 0.16cvss 3.5epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the POST /api/v1/notes/{id}/pin endpoint performs a write operation (toggling the is_pinned field) but only checks for read permission. Users with read-only access…

  • CVE-2026-29071LowMar 27, 2026
    risk 0.13cvss 3.1epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users' private memories via `/api/v1/retrieval/query/collection`. Version 0.8.6 patches the issue.

  • CVE-2024-7034Mar 20, 2025
    risk 0.01cvss epss 0.02

    In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handling of user-supplied filenames. The vulnerability arises from the usage of `file_path = f"{UPLOAD_DIR}/{file.filename}"` without proper input validation or…

  • CVE-2026-54022Jun 17, 2026
    risk 0.00cvss epss 0.00

    ### Summary The `ydoc:document:join` Socket.IO handler checks note ownership only when the `document_id` starts with `note:` (colon). However, the `YdocManager` storage layer normalizes all document IDs by replacing colons with underscores (`document_id.replace(":", "_")`). An…

  • CVE-2026-54021Jun 17, 2026
    risk 0.00cvss epss 0.00

    ## Summary Several direct, index-addressed Ollama proxy routes accept a caller-supplied `url_idx` path parameter and use it as a raw index into the admin-configured `OLLAMA_BASE_URLS` list. Access control on these routes validates only whether the user may use the requested…

  • CVE-2026-54019Jun 17, 2026
    risk 0.00cvss epss 0.00

    # RAG ACL Bypass in Milvus Multitenancy Mode ## Summary This is a bypass of the fix for: - GHSA-h36f-rqpx-j5wx - CVE-2026-44560 - "Unauthorized File and Knowledge Base Content Access via RAG Vector Search" Open WebUI added collection-level ACL checks, but the patch can still…

  • CVE-2026-54016Jun 17, 2026
    risk 0.00cvss epss 0.00

    ## Summary Open WebUI has a Broken Object Level Authorization (BOLA) vulnerability in the builtin `search_knowledge_files` tool. When native function calling is enabled and the selected model has no attached knowledge bases, an authenticated user can call…

  • CVE-2026-54015Jun 17, 2026
    risk 0.00cvss epss 0.00

    ## Summary Open WebUI's prompt version-history endpoints authorize the `prompt_id` in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt (`history_entry.prompt_id == prompt.id`). Three operations are affected: -…

Page 4 of 7