Vulnerabilities

Aggregated CVE / GHSA / KEV / OSV — filter by tag and category.

Filtering: Group: cwe Tag: openwebui Clear
ID Title
CVE-2026-54022 Vulnerability in open-webui (CVE-2026-54022)
vulnerability in open-webui (CVE-2026-54022). Confidential information can be exposed externally. Exploitable via ``document_id``. Mitigation: upgrade to `0.8.11` or later.
CVE-2026-54021 Authorization Flaw in open-webui (CVE-2026-54021)
vulnerability in open-webui (CVE-2026-54021). Risk of unauthorized operations or information disclosure. Exploitable via `POST /ollama/api/chat/{url_idx}`. Mitigation: upgrade to `>= 0.9.6` or later.
CVE-2026-54019 Vulnerability in open-webui (CVE-2026-54019)
vulnerability in open-webui (CVE-2026-54019). Confidential information can be exposed externally. Exploitable via `POST /api/v1/retrieval/query/collection`. Mitigation: upgrade to `0.9.6` or later.
CVE-2026-54018 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-54018)
SSRF in open-webui (CVE-2026-54018). Confidential information can be exposed externally. Mitigation: upgrade to `0.9.6` or later.
CVE-2026-54017 Path Traversal in open-webui (CVE-2026-54017)
path traversal in open-webui (CVE-2026-54017). Confidential information can be exposed externally. Exploitable via `GET /api/v1/terminals/server1/..`. Mitigation: upgrade to `0.9.6` or later.
CVE-2026-54015 Vulnerability in open-webui (CVE-2026-54015)
vulnerability in open-webui (CVE-2026-54015). Confidential information can be exposed externally. Exploitable via `GET /api/v1/prompts/id/{prompt_id}/history/diff`. Mitigation: upgrade to `0.9.6` or later.
CVE-2026-54014 Path Traversal in open-webui (CVE-2026-54014)
path traversal in open-webui (CVE-2026-54014). Risk of unauthorized operations or information disclosure. Exploitable via `GET /cache/{{path}}`. Mitigation: upgrade to `0.9.6` or later.
CVE-2026-54013 Cross-Site Scripting (XSS) in open-webui (CVE-2026-54013)
cross-site scripting in open-webui (CVE-2026-54013). Confidential information can be exposed externally. Exploitable via `GET /api/v1/models/model/profile/image`. Mitigation: upgrade to `0.9.6` or later.
CVE-2026-54012 Vulnerability in open-webui (CVE-2026-54012)
vulnerability in open-webui (CVE-2026-54012). Confidential information can be exposed externally. Exploitable via `GET /api/v1/files/{id}/content`. Mitigation: upgrade to `0.9.6` or later.
CVE-2026-54011 Cross-Site Scripting (XSS) in open-webui (CVE-2026-54011)
cross-site scripting in open-webui (CVE-2026-54011). Confidential information can be exposed externally. Exploitable via ``innerHTML``. Mitigation: upgrade to `0.9.6` or later.
CVE-2026-54010 Vulnerability in open-webui (CVE-2026-54010)
vulnerability in open-webui (CVE-2026-54010). Confidential information can be exposed externally. Exploitable via `GET /api/v1/files/{id}/content`. Mitigation: upgrade to `>= 0.9.6` or later.
CVE-2026-54008 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-54008)
SSRF in open-webui (CVE-2026-54008). Confidential information can be exposed externally. Exploitable via `GET /api/v1/auths/`. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-45675 Privilege Escalation in open-webui (CVE-2026-45675)
vulnerability in open-webui (CVE-2026-45675). Successful exploitation can lead to full system takeover. Exploitable via ``signup_handler``. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-45672 Authorization Flaw in open-webui (CVE-2026-45672)
vulnerability in open-webui (CVE-2026-45672). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `0.8.12` or later.
CVE-2026-45667 Vulnerability in open-webui (CVE-2026-45667)
vulnerability in open-webui (CVE-2026-45667). Risk of unauthorized operations or information disclosure. Exploitable via `Authorization header`. Mitigation: upgrade to `0.8.0` or later.
CVE-2026-45665 Cross-Site Scripting (XSS) in open-webui (CVE-2026-45665)
cross-site scripting in open-webui (CVE-2026-45665). Confidential information can be exposed externally. Exploitable via ``marked.parse``. Mitigation: upgrade to `0.8.0` or later.
CVE-2026-45401 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-45401)
SSRF in open-webui (CVE-2026-45401). Confidential information can be exposed externally. Exploitable via ``requests``. Mitigation: upgrade to `0.9.5` or later.
CVE-2026-45400 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-45400)
SSRF in open-webui (CVE-2026-45400). Confidential information can be exposed externally. Exploitable via ``requests``. Mitigation: upgrade to `0.9.5` or later.
CVE-2026-45399 Vulnerability in open-webui (CVE-2026-45399)
vulnerability in open-webui (CVE-2026-45399). Risk of unauthorized operations or information disclosure. Exploitable via `GET /api/tasks`. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-45397 Vulnerability in open-webui (CVE-2026-45397)
vulnerability in open-webui (CVE-2026-45397). Risk of unauthorized operations or information disclosure. Exploitable via `GET /api/v1/retrieval/`. Mitigation: upgrade to `0.9.5` or later.
CVE-2026-45395 Privilege Escalation in open-webui (CVE-2026-45395)
vulnerability in open-webui (CVE-2026-45395). Successful exploitation can lead to full system takeover. Exploitable via `POST /api/v1/tools/id/{id}/update`. Mitigation: upgrade to `0.9.5` or later.
CVE-2026-45387 Information Disclosure in open-webui (CVE-2026-45387)
vulnerability in open-webui (CVE-2026-45387). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `0.9.5` or later.
CVE-2026-45365 Vulnerability in open-webui (CVE-2026-45365)
vulnerability in open-webui (CVE-2026-45365). Risk of unauthorized operations or information disclosure. Exploitable via `POST /openai/chat/completions`. Mitigation: upgrade to `0.8.11` or later.
CVE-2026-45351 Information Disclosure in open-webui (CVE-2026-45351)
vulnerability in open-webui (CVE-2026-45351). Confidential information can be exposed externally. Exploitable via `GET /api/models`. Mitigation: upgrade to `0.8.9` or later.
CVE-2026-45350 Vulnerability in open-webui (CVE-2026-45350)
vulnerability in open-webui (CVE-2026-45350). Confidential information can be exposed externally. Exploitable via ``tool_id``. Mitigation: upgrade to `0.8.6` or later.
CVE-2026-45347 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-45347)
SSRF in open-webui (CVE-2026-45347). Risk of unauthorized operations or information disclosure. Exploitable via `POST /api/v1/utils/pdf`. Mitigation: upgrade to `0.5.11` or later.
CVE-2026-45346 Vulnerability in open-webui (CVE-2026-45346)
vulnerability in open-webui (CVE-2026-45346). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `0.6.31` or later.
CVE-2026-45345 Vulnerability in open-webui (CVE-2026-45345)
vulnerability in open-webui (CVE-2026-45345). Data can be tampered with by attackers. Exploitable via `POST /api/v1/models/model/update`. Mitigation: upgrade to `0.5.7` or later.
CVE-2026-45339 Authorization Flaw in open-webu (CVE-2026-45339)
vulnerability in open-webu (CVE-2026-45339). Confidential information can be exposed externally. Exploitable via `Authorization header`. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-45338 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-45338)
SSRF in open-webui (CVE-2026-45338). Confidential information can be exposed externally. Exploitable via ``picture``. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-45331 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-45331)
SSRF in open-webui (CVE-2026-45331). Confidential information can be exposed externally. Exploitable via ``validators``. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-45317 Vulnerability in open-webui (CVE-2026-45317)
vulnerability in open-webui (CVE-2026-45317). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `0.9.3` or later.
CVE-2026-45318 Cross-Site Scripting (XSS) in open-webui (CVE-2026-45318)
cross-site scripting in open-webui (CVE-2026-45318). Risk of unauthorized operations or information disclosure. Exploitable via ``fileOfficeHtml``. Mitigation: upgrade to `0.8.0` or later.
CVE-2026-45316 Authorization Flaw in open-webui (CVE-2026-45316)
vulnerability in open-webui (CVE-2026-45316). Risk of unauthorized operations or information disclosure. Exploitable via `POST /api/v1/notes/{id}/pin`. Mitigation: upgrade to `0.9.3` or later.
CVE-2026-45315 Unrestricted File Upload in open-webui (CVE-2026-45315)
vulnerability in open-webui (CVE-2026-45315). Confidential information can be exposed externally. Mitigation: upgrade to `0.9.3` or later.
CVE-2026-45303 Cross-Site Scripting (XSS) in open-webui (CVE-2026-45303)
cross-site scripting in open-webui (CVE-2026-45303). Confidential information can be exposed externally. Exploitable via ``High``. Mitigation: upgrade to `0.6.5` or later.
CVE-2026-45301 Vulnerability in open-webui (CVE-2026-45301)
vulnerability in open-webui (CVE-2026-45301). Confidential information can be exposed externally. Exploitable via ``user_id``. Mitigation: upgrade to `0.3.16` or later.
CVE-2026-45299 Cross-Site Scripting (XSS) in open-webui (CVE-2026-45299)
cross-site scripting in open-webui (CVE-2026-45299). Risk of unauthorized operations or information disclosure. Exploitable via `GET /api/v1/users/{user_id}/profile/image`. Mitigation: upgrade to `>= 0.8.0` or later.
CVE-2026-44571 Vulnerability in open-webui (CVE-2026-44571)
vulnerability in open-webui (CVE-2026-44571). Data can be tampered with by attackers. Exploitable via `POST /api/v1/channels/{channel_id}/messages/{message_id}/update`. Mitigation: upgrade to `0.8.6` or later.
CVE-2026-44569 Vulnerability in open-webui (CVE-2026-44569)
vulnerability in open-webui (CVE-2026-44569). Data can be tampered with by attackers. Exploitable via ``message_id``. Mitigation: upgrade to `0.6.19` or later.
CVE-2026-44565 Path Traversal in open-webui (CVE-2026-44565)
path traversal in open-webui (CVE-2026-44565). Data can be tampered with by attackers. Exploitable via ``DELETE_ME``. Mitigation: upgrade to `0.6.10` or later.
CVE-2026-44566 Path Traversal in open-webui (CVE-2026-44566)
path traversal in open-webui (CVE-2026-44566). Risk of unauthorized operations or information disclosure. Exploitable via ``file``. Mitigation: upgrade to `0.1.124` or later.
CVE-2026-44567 Vulnerability in open-webui (CVE-2026-44567)
vulnerability in open-webui (CVE-2026-44567). Risk of unauthorized operations or information disclosure. Exploitable via `POST /api/v1/auths/signup`. Mitigation: upgrade to `0.1.124` or later.
CVE-2026-44549 Cross-Site Scripting (XSS) in open-webui (CVE-2026-44549)
cross-site scripting in open-webui (CVE-2026-44549). Confidential information can be exposed externally. Exploitable via ``XLSX.utils.sheet_to_html``. Mitigation: upgrade to `0.8.0` or later.
CVE-2026-44568 Cross-Site Scripting (XSS) in open-webui (CVE-2026-44568)
cross-site scripting in open-webui (CVE-2026-44568). Risk of unauthorized operations or information disclosure. Exploitable via ``AccountPending.svelte``. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-44560 Vulnerability in open-webui (CVE-2026-44560)
vulnerability in open-webui (CVE-2026-44560). Confidential information can be exposed externally. Exploitable via `POST /api/chat/completions`. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-44561 Authorization Flaw in open-webui (CVE-2026-44561)
vulnerability in open-webui (CVE-2026-44561). Risk of unauthorized operations or information disclosure. Exploitable via `GET /api/v1/channels/{channel_id}/messages`. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-44564 Authorization Flaw in open-webui (CVE-2026-44564)
vulnerability in open-webui (CVE-2026-44564). Risk of unauthorized operations or information disclosure. Exploitable via ``read``. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-44563 Vulnerability in open-webui (CVE-2026-44563)
vulnerability in open-webui (CVE-2026-44563). Risk of unauthorized operations or information disclosure. Exploitable via `POST /ollama/api/generate`. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-44562 Vulnerability in open-webui (CVE-2026-44562)
vulnerability in open-webui (CVE-2026-44562). Data can be tampered with by attackers. Exploitable via `POST /api/v1/models/import`. Mitigation: upgrade to `0.9.0` or later.

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →