VYPR
advisoryPublished Jun 17, 2026· Updated Jun 18, 2026· 1 source

Open WebUI: 16 CVEs Disclosed in Single-Day Batch, Many Bypassing Earlier Patches

Key findings • 16 CVEs disclosed in a single 4-hour window on June 17, 2026 • Multiple IDOR and BOLA flaws allow cross-user file and note access • SSRF bypasses in Playwright and OAuth UR…

Key findings

  • 16 CVEs disclosed in a single 4-hour window on June 17, 2026
  • Multiple IDOR and BOLA flaws allow cross-user file and note access
  • SSRF bypasses in Playwright and OAuth URL validation via HTTP redirects
  • Stored XSS in model profile images and Mermaid Markdown preview
  • Several CVEs are bypasses of earlier patches (CVE-2026-44560, CVE-2026-45401)
  • No consolidated patch released yet; users should monitor for updates

On June 17, 2026, security researchers disclosed 16 vulnerabilities in Open WebUI, the popular self-hosted AI interface for LLMs like Ollama and OpenAI-compatible backends. The batch spans a wide range of bug classes—broken access control, server-side request forgery (SSRF), path traversal, stored cross-site scripting (XSS), and insecure direct object references (IDOR)—with several CVEs rated high severity. Many of the flaws are bypasses of earlier patches, suggesting that Open WebUI's security posture has been under sustained scrutiny.

Access Control and IDOR Flaws

A cluster of vulnerabilities revolves around Open WebUI's failure to enforce ownership checks on user data. CVE-2026-54022 lets any authenticated user read other users' private notes via the Socket.IO ydoc:document:join handler by exploiting a normalization mismatch between colons and underscores in document IDs. CVE-2026-54015 is an IDOR in the prompt version-history endpoints: the server validates the prompt_id parameter but then acts on caller-supplied history IDs without verifying they belong to that prompt, enabling cross-prompt read and deletion. CVE-2026-54006 allows an attacker to move a calendar event into another user's calendar because the POST /api/v1/calendars/events/{event_id}/update endpoint checks write access on the source calendar but not on the destination calendar_id supplied in the request body.

File Disclosure and Knowledge Base Bypasses

Several CVEs target Open WebUI's file and knowledge-base access controls. CVE-2026-54009 is a cross-user file disclosure via the POST /api/chat/completions endpoint: when image_url.url does not start with http://, https://, or data:image/, it is treated as a file ID and resolved against the global file table with no ownership check. CVE-2026-54010 lets an authenticated user attach arbitrary file_id values to their own chat message, then share that chat to gain read access to victim files. CVE-2026-54012 is similar but targets workspace models: a user who can create or update models can store arbitrary meta.knowledge entries referencing files they do not own, and Open WebUI treats those entries as an authorization source. CVE-2026-54016 is a BOLA in the search_knowledge_files tool that allows unauthorized enumeration of knowledge base files when native function calling is enabled.

SSRF and Path Traversal

CVE-2026-54018 bypasses SSRF protections in the Playwright web loader: the validate_url function checks only the initial URL, but Playwright follows HTTP redirects by default, allowing an attacker to redirect the request to internal hosts. CVE-2026-54008 is a sibling bypass of CVE-2026-45401 in the OAuth _process_picture_url function—again, validation runs only on the initial URL while aiohttp follows redirects. CVE-2026-54017 is a path traversal and SSRF in the terminal server proxy: an authenticated user with terminal access can craft encoded path traversal sequences to reach arbitrary endpoints on the terminal server. CVE-2026-54014 exploits an incomplete startswith check in the /cache/{path} endpoint, letting authenticated users read sibling directories outside the intended cache directory.

Stored XSS and Cross-Origin Attacks

CVE-2026-54013 is a stored XSS leading to account takeover via model profile images. Open WebUI had previously patched SVG XSS in user and webhook profile images but missed the same fix for model profile images. CVE-2026-54011 is a stored XSS in Mermaid Markdown preview: the file preview panel renders Mermaid blocks with securityLevel: 'loose' and inserts the generated SVG via innerHTML, allowing attacker-controlled Mermaid content to execute JavaScript. CVE-2026-54007 is a cross-origin postMessage bypass: the chat message listener accepts input:prompt and action:submit messages from any origin, so an external site can set prompt text and trigger submitPrompt() in an authenticated victim session.

RAG ACL Bypass and Backend Abuse

CVE-2026-54019 bypasses a previous fix (CVE-2026-44560) for unauthorized file access via RAG vector search. The collection-level ACL checks added in the earlier patch can be circumvented when Milvus multitenancy mode is enabled. CVE-2026-54021 lets authenticated users target arbitrary configured Ollama backends: several proxy routes accept a caller-supplied url_idx path parameter and use it as a raw index into the admin-configured OLLAMA_BASE_URLS list without verifying which backend the user is authorized to use.

Response and Patch Status

Open WebUI has not yet released a consolidated patch for all 16 CVEs at the time of disclosure. Users are advised to review the individual advisories and apply mitigations where available, such as disabling Milvus multitenancy mode for CVE-2026-54019, restricting terminal server access for CVE-2026-54017, and monitoring for signs of exploitation. The breadth of the batch—spanning IDOR, SSRF, XSS, path traversal, and ACL bypass—underscores the challenge of securing a rapidly evolving AI platform that integrates multiple backends, file stores, and real-time collaboration features. Administrators should prioritize updating to the latest version once a fix is published and audit their configurations for exposed endpoints.

Synthesized by Vypr AI