VYPR

Vendor CVEs

Openwebui

All CVEs

122 total · sorted by risk
  • CVE-2026-44568MedMay 15, 2026
    risk 0.31cvss 4.8epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse() inside {@html} with an incorrect DOMPurify…

  • CVE-2026-45365MedMay 15, 2026
    risk 0.28cvss 5.4epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, an internal-only bypass_filter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via FastAPI query string binding, allowing…

  • CVE-2026-45346MedMay 15, 2026
    risk 0.28cvss 5.4epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.31, there is a Cross-Site Scripting vulnerability in Open WebUI SVG renderer implementation. This vulnerability is fixed in 0.6.31.

  • CVE-2026-45318MedMay 15, 2026
    risk 0.28cvss 5.4epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, his advisory tracks a regression of the original Excel-preview XSS (CVE-2026-44549). The same root cause — XLSX.utils.sheet_to_html() output rendered via {@html…

  • CVE-2026-45299MedMay 15, 2026
    risk 0.28cvss 5.4epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, the profile_image_url field on the user profile update form accepted arbitrary data: URI values without MIME-type validation, resulting in a XSS vulnerability. This…

  • CVE-2026-45397MedMay 15, 2026
    risk 0.28cvss 5.3epss 0.01

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, GET /api/v1/retrieval/ returns live RAG pipeline configuration to any unauthenticated HTTP client. No Authorization header, cookie, or API key is required. Every…

  • CVE-2026-45396MedMay 15, 2026
    risk 0.28cvss 5.4epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the POST /api/v1/evaluations/feedback endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via FeedbackForm, which uses model_config =…

  • CVE-2026-44564MedMay 15, 2026
    risk 0.28cvss 5.4epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the ydoc:document:update Socket.IO event handler checks whether the sender is a member of the document's Socket.IO room (line 678) but does not verify that the…

  • CVE-2026-44563MedMay 15, 2026
    risk 0.28cvss 5.4epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /api/generate, /api/embed, /api/embeddings, and /api/show endpoints accept any model name from the user and forward the request to the Ollama backend without…

  • CVE-2026-44561MedMay 15, 2026
    risk 0.28cvss 5.4epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the is_user_channel_member function checks whether a ChannelMember row exists but does not check the is_active field. When a user is deactivated from a group or DM…

  • CVE-2026-44558MedMay 15, 2026
    risk 0.28cvss 5.4epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the channel router does not call filter_allowed_access_grants on either create or update paths. A non-admin user who can create group channels (or who owns a…

  • CVE-2026-34225MedApr 14, 2026
    risk 0.28cvss 4.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.7.2 and below contain a Blind Server Side Request Forgery in the functionality that allows editing an image via a prompt. The affected function performs a GET request to…

  • CVE-2026-29070MedMar 27, 2026
    risk 0.28cvss 5.4epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge…

  • CVE-2026-44550MedMay 15, 2026
    risk 0.26cvss 5.0epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, FolderForm uses model_config = ConfigDict(extra='allow'), which permits arbitrary fields to pass through Pydantic validation and be included in…

  • CVE-2025-15603LowMar 9, 2026
    risk 0.24cvss 3.7epss 0.00

    A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/start_windows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUI_SECRET_KEY leads to insufficiently random values. It is possible…

  • CVE-2026-45317MedMay 15, 2026
    risk 0.23cvss 4.6epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a…

  • CVE-2026-45347MedMay 15, 2026
    risk 0.21cvss 4.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.11, there is a blind server side request forgery (SSRF) via the PDF generate function. In the PDF export, user inputs are interpreted as HTML and embedded into the…

  • CVE-2026-45387MedMay 15, 2026
    risk 0.21cvss 4.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, when setting model permissions so that a group has read access to it, intending for other users to use it, those users also can read the model's system prompt.…

  • CVE-2026-45386MedMay 15, 2026
    risk 0.21cvss 4.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, Pin/Unpin is a write operation (modifies the message's is_pinned , pinned_by, pinned_at fields), but in standard channels it only checks read permission, allowing…

  • CVE-2026-45385MedMay 15, 2026
    risk 0.21cvss 4.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, an IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members (including administrators)…

  • CVE-2026-44559MedMay 15, 2026
    risk 0.21cvss 4.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the GET /api/v1/channels/{id}/members endpoint only checks membership for group and dm channel types (lines 467-469). For standard channels — including private…

  • CVE-2026-44557MedMay 15, 2026
    risk 0.21cvss 4.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the _validate_collection_access function uses an incomplete allowlist that only enforces ownership checks for collections matching user-memory-* and file-*…

  • CVE-2026-45316LowMay 15, 2026
    risk 0.16cvss 3.5epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the POST /api/v1/notes/{id}/pin endpoint performs a write operation (toggling the is_pinned field) but only checks for read permission. Users with read-only access…

  • CVE-2026-29071LowMar 27, 2026
    risk 0.13cvss 3.1epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users' private memories via `/api/v1/retrieval/query/collection`. Version 0.8.6 patches the issue.

  • CVE-2024-7034Mar 20, 2025
    risk 0.01cvss epss 0.02

    In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handling of user-supplied filenames. The vulnerability arises from the usage of `file_path = f"{UPLOAD_DIR}/{file.filename}"` without proper input validation or…

  • CVE-2026-54022Jun 17, 2026
    risk 0.00cvss epss 0.00

    ### Summary The `ydoc:document:join` Socket.IO handler checks note ownership only when the `document_id` starts with `note:` (colon). However, the `YdocManager` storage layer normalizes all document IDs by replacing colons with underscores (`document_id.replace(":", "_")`). An…

  • CVE-2026-54021Jun 17, 2026
    risk 0.00cvss epss 0.00

    ## Summary Several direct, index-addressed Ollama proxy routes accept a caller-supplied `url_idx` path parameter and use it as a raw index into the admin-configured `OLLAMA_BASE_URLS` list. Access control on these routes validates only whether the user may use the requested…

  • CVE-2026-54019Jun 17, 2026
    risk 0.00cvss epss 0.00

    # RAG ACL Bypass in Milvus Multitenancy Mode ## Summary This is a bypass of the fix for: - GHSA-h36f-rqpx-j5wx - CVE-2026-44560 - "Unauthorized File and Knowledge Base Content Access via RAG Vector Search" Open WebUI added collection-level ACL checks, but the patch can still…

  • CVE-2026-54016Jun 17, 2026
    risk 0.00cvss epss 0.00

    ## Summary Open WebUI has a Broken Object Level Authorization (BOLA) vulnerability in the builtin `search_knowledge_files` tool. When native function calling is enabled and the selected model has no attached knowledge bases, an authenticated user can call…

  • CVE-2026-54015Jun 17, 2026
    risk 0.00cvss epss 0.00

    ## Summary Open WebUI's prompt version-history endpoints authorize the `prompt_id` in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt (`history_entry.prompt_id == prompt.id`). Three operations are affected: -…

  • CVE-2026-54014Jun 17, 2026
    risk 0.00cvss epss 0.00

    ## Summary A path traversal vulnerability exists in open-webui's cache file serving endpoint that allows any authenticated user to read files from sibling directories outside the intended cache directory, by exploiting an incomplete `startswith` containment check that lacks a…

  • CVE-2026-54009Jun 17, 2026
    risk 0.00cvss epss 0.00

    ## summary `POST /api/chat/completions` accepts an `image_url.url` value that, when it does NOT start with `http://`, `https://`, or `data:image/`, is interpreted as a file id and resolved against the global file table with no ownership check. An authenticated user can…

  • CVE-2026-54006Jun 17, 2026
    risk 0.00cvss epss 0.00

    ### Summary `POST /api/v1/calendars/events/{event_id}/update` validates that the caller has **write** access to the calendar the event *currently* belongs to, but does not validate the **destination** `calendar_id` supplied in the request body. The model layer then persists the…

  • CVE-2026-28786Mar 26, 2026
    risk 0.00cvss epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an unsanitized filename field in the speech-to-text transcription endpoint allows any authenticated non-admin user to trigger a `FileNotFoundError` whose…

  • CVE-2026-26193Feb 19, 2026
    risk 0.00cvss epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.44, aanually modifying chat history allows setting the `embeds` property on a response message, the content of which is loaded into an iFrame with a sandbox…

  • CVE-2026-26192Feb 19, 2026
    risk 0.00cvss epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, aanually modifying chat history allows setting the `html` property within document metadata. This causes the frontend to enter a code path that treats…

  • CVE-2026-0767Jan 23, 2026
    risk 0.00cvss epss 0.00

    Open WebUI Cleartext Transmission of Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Open WebUI. Authentication is not required to exploit this vulnerability. …

  • CVE-2026-0766Jan 23, 2026
    risk 0.00cvss epss 0.27

    Open WebUI load_tool_module_by_id Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw…

  • CVE-2026-0765Jan 23, 2026
    risk 0.00cvss epss 0.02

    Open WebUI PIP install_frontmatter_requirements Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The…

  • CVE-2025-63391Dec 18, 2025
    risk 0.00cvss epss 0.01

    An authentication bypass vulnerability exists in Open-WebUI <=0.6.32 in the /api/config endpoint. The endpoint lacks proper authentication and authorization controls, exposing sensitive system configuration data to unauthenticated remote attackers.

  • CVE-2025-65959Dec 4, 2025
    risk 0.00cvss epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Stored XSS vulnerability was discovered in Open-WebUI's Notes PDF download functionality. An attacker can import a Markdown file containing malicious SVG tags…

  • CVE-2025-65958Dec 4, 2025
    risk 0.00cvss epss 0.04

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This…

  • CVE-2025-63681Dec 4, 2025
    risk 0.00cvss epss 0.00

    open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks.

  • CVE-2025-64496Nov 8, 2025
    risk 0.00cvss epss 0.08

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in…

  • CVE-2025-64495Nov 8, 2025
    risk 0.00cvss epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. In versions 0.6.34 and below, the functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Prompt as Rich Text' is enabled, since the…

  • CVE-2025-46719May 5, 2025
    risk 0.00cvss epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, a vulnerability in the way certain html tags in chat messages are rendered allows attackers to inject JavaScript code into a chat transcript. The JavaScript…

  • CVE-2025-46571May 5, 2025
    risk 0.00cvss epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, low privileged users can upload HTML files which contain JavaScript code via the `/api/v1/files/` backend endpoint. This endpoint returns a file id, which…

  • CVE-2025-29446Apr 21, 2025
    risk 0.00cvss epss 0.00

    open-webui v0.5.16 is vulnerable to SSRF in routers/ollama.py in function verify_connection.

  • CVE-2024-8017Mar 20, 2025
    risk 0.00cvss epss 0.01

    An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the HTML for tooltips. This vulnerability allows attackers to perform operations with the victim's privileges, such as stealing chat history, deleting chats, and…

  • CVE-2024-7053Mar 20, 2025
    risk 0.00cvss epss 0.01

    A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. The session cookie for all users is set with the default `SameSite=Lax` and does not have the `Secure` flag enabled, allowing the session…