Vulnerabilities

Aggregated CVE / GHSA / KEV / OSV — filter by tag and category.

Filtering: Tag: openwebui Clear
ID Title
CVE-2026-54022 Vulnerability in open-webui (CVE-2026-54022)
vulnerability in open-webui (CVE-2026-54022). Confidential information can be exposed externally. Exploitable via ``document_id``. Mitigation: upgrade to `0.8.11` or later.
CVE-2026-54021 Authorization Flaw in open-webui (CVE-2026-54021)
vulnerability in open-webui (CVE-2026-54021). Risk of unauthorized operations or information disclosure. Exploitable via `POST /ollama/api/chat/{url_idx}`. Mitigation: upgrade to `>= 0.9.6` or later.
CVE-2026-54019 Vulnerability in open-webui (CVE-2026-54019)
vulnerability in open-webui (CVE-2026-54019). Confidential information can be exposed externally. Exploitable via `POST /api/v1/retrieval/query/collection`. Mitigation: upgrade to `0.9.6` or later.
CVE-2026-54018 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-54018)
SSRF in open-webui (CVE-2026-54018). Confidential information can be exposed externally. Mitigation: upgrade to `0.9.6` or later.
CVE-2026-54017 Path Traversal in open-webui (CVE-2026-54017)
path traversal in open-webui (CVE-2026-54017). Confidential information can be exposed externally. Exploitable via `GET /api/v1/terminals/server1/..`. Mitigation: upgrade to `0.9.6` or later.
CVE-2026-54016 Vulnerability in open-webui (CVE-2026-54016)
vulnerability in open-webui (CVE-2026-54016). Risk of unauthorized operations or information disclosure. Exploitable via ``search_knowledge_files``. Mitigation: upgrade to `0.9.6` or later.
CVE-2026-54015 Vulnerability in open-webui (CVE-2026-54015)
vulnerability in open-webui (CVE-2026-54015). Confidential information can be exposed externally. Exploitable via `GET /api/v1/prompts/id/{prompt_id}/history/diff`. Mitigation: upgrade to `0.9.6` or later.
CVE-2026-54014 Path Traversal in open-webui (CVE-2026-54014)
path traversal in open-webui (CVE-2026-54014). Risk of unauthorized operations or information disclosure. Exploitable via `GET /cache/{{path}}`. Mitigation: upgrade to `0.9.6` or later.
CVE-2026-54013 Cross-Site Scripting (XSS) in open-webui (CVE-2026-54013)
cross-site scripting in open-webui (CVE-2026-54013). Confidential information can be exposed externally. Exploitable via `GET /api/v1/models/model/profile/image`. Mitigation: upgrade to `0.9.6` or later.
CVE-2026-54012 Vulnerability in open-webui (CVE-2026-54012)
vulnerability in open-webui (CVE-2026-54012). Confidential information can be exposed externally. Exploitable via `GET /api/v1/files/{id}/content`. Mitigation: upgrade to `0.9.6` or later.
CVE-2026-54011 Cross-Site Scripting (XSS) in open-webui (CVE-2026-54011)
cross-site scripting in open-webui (CVE-2026-54011). Confidential information can be exposed externally. Exploitable via ``innerHTML``. Mitigation: upgrade to `0.9.6` or later.
CVE-2026-54010 Vulnerability in open-webui (CVE-2026-54010)
vulnerability in open-webui (CVE-2026-54010). Confidential information can be exposed externally. Exploitable via `GET /api/v1/files/{id}/content`. Mitigation: upgrade to `>= 0.9.6` or later.
CVE-2026-54009 Vulnerability in open-webui (CVE-2026-54009)
vulnerability in open-webui (CVE-2026-54009). Confidential information can be exposed externally. Exploitable via `POST /api/chat/completions`. Mitigation: upgrade to `0.9.6` or later.
CVE-2026-54008 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-54008)
SSRF in open-webui (CVE-2026-54008). Confidential information can be exposed externally. Exploitable via `GET /api/v1/auths/`. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-54007 Vulnerability in open-webui (CVE-2026-54007)
vulnerability in open-webui (CVE-2026-54007). Data can be tampered with by attackers. Exploitable via `POST /api/v1/chats/new`. Mitigation: upgrade to `0.9.6` or later.
CVE-2026-54006 Vulnerability in open-webui (CVE-2026-54006)
vulnerability in open-webui (CVE-2026-54006). Risk of unauthorized operations or information disclosure. Exploitable via `POST /api/v1/calendars/events/{event_id}/update`. Mitigation: upgrade to `0.9.6` or later.
CVE-2026-45675 Privilege Escalation in open-webui (CVE-2026-45675)
vulnerability in open-webui (CVE-2026-45675). Successful exploitation can lead to full system takeover. Exploitable via ``signup_handler``. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-45672 Authorization Flaw in open-webui (CVE-2026-45672)
vulnerability in open-webui (CVE-2026-45672). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `0.8.12` or later.
CVE-2026-45671 Vulnerability in open-webui (CVE-2026-45671)
vulnerability in open-webui (CVE-2026-45671). Successful exploitation can lead to full system takeover. Exploitable via `DELETE /api/v1/files/{id}`. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-45667 Vulnerability in open-webui (CVE-2026-45667)
vulnerability in open-webui (CVE-2026-45667). Risk of unauthorized operations or information disclosure. Exploitable via `Authorization header`. Mitigation: upgrade to `0.8.0` or later.
CVE-2026-45666 Vulnerability in open-webui (CVE-2026-45666)
vulnerability in open-webui (CVE-2026-45666). Confidential information can be exposed externally. Exploitable via `GET /api/config.`. Mitigation: upgrade to `0.8.11` or later.
CVE-2026-45665 Cross-Site Scripting (XSS) in open-webui (CVE-2026-45665)
cross-site scripting in open-webui (CVE-2026-45665). Confidential information can be exposed externally. Exploitable via ``marked.parse``. Mitigation: upgrade to `0.8.0` or later.
CVE-2026-45402 Vulnerability in open-webui (CVE-2026-45402)
vulnerability in open-webui (CVE-2026-45402). Confidential information can be exposed externally. Exploitable via `POST /api/v1/folders/{id}/update`. Mitigation: upgrade to `0.9.5` or later.
CVE-2026-45401 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-45401)
SSRF in open-webui (CVE-2026-45401). Confidential information can be exposed externally. Exploitable via ``requests``. Mitigation: upgrade to `0.9.5` or later.
CVE-2026-45400 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-45400)
SSRF in open-webui (CVE-2026-45400). Confidential information can be exposed externally. Exploitable via ``requests``. Mitigation: upgrade to `0.9.5` or later.
CVE-2026-45399 Vulnerability in open-webui (CVE-2026-45399)
vulnerability in open-webui (CVE-2026-45399). Risk of unauthorized operations or information disclosure. Exploitable via `GET /api/tasks`. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-45398 Vulnerability in open-webui (CVE-2026-45398)
vulnerability in open-webui (CVE-2026-45398). Successful exploitation can lead to full system takeover. Exploitable via `POST /api/v1/retrieval/query/doc`. Mitigation: upgrade to `0.9.5` or later.
CVE-2026-45397 Vulnerability in open-webui (CVE-2026-45397)
vulnerability in open-webui (CVE-2026-45397). Risk of unauthorized operations or information disclosure. Exploitable via `GET /api/v1/retrieval/`. Mitigation: upgrade to `0.9.5` or later.
CVE-2026-45396 Vulnerability in open-webui (CVE-2026-45396)
vulnerability in open-webui (CVE-2026-45396). Risk of unauthorized operations or information disclosure. Exploitable via `POST /api/v1/evaluations/feedback`. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-45395 Privilege Escalation in open-webui (CVE-2026-45395)
vulnerability in open-webui (CVE-2026-45395). Successful exploitation can lead to full system takeover. Exploitable via `POST /api/v1/tools/id/{id}/update`. Mitigation: upgrade to `0.9.5` or later.
CVE-2026-45387 Information Disclosure in open-webui (CVE-2026-45387)
vulnerability in open-webui (CVE-2026-45387). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `0.9.5` or later.
CVE-2026-45386 Vulnerability in open-webui (CVE-2026-45386)
vulnerability in open-webui (CVE-2026-45386). Risk of unauthorized operations or information disclosure. Exploitable via `POST /api/v1/channels/create`. Mitigation: upgrade to `0.9.5` or later.
CVE-2026-45385 Vulnerability in open-webui (CVE-2026-45385)
vulnerability in open-webui (CVE-2026-45385). Risk of unauthorized operations or information disclosure. Exploitable via `POST /api/v1/channels/create`. Mitigation: upgrade to `0.9.5` or later.
CVE-2026-45365 Vulnerability in open-webui (CVE-2026-45365)
vulnerability in open-webui (CVE-2026-45365). Risk of unauthorized operations or information disclosure. Exploitable via `POST /openai/chat/completions`. Mitigation: upgrade to `0.8.11` or later.
CVE-2026-45351 Information Disclosure in open-webui (CVE-2026-45351)
vulnerability in open-webui (CVE-2026-45351). Confidential information can be exposed externally. Exploitable via `GET /api/models`. Mitigation: upgrade to `0.8.9` or later.
CVE-2026-45350 Vulnerability in open-webui (CVE-2026-45350)
vulnerability in open-webui (CVE-2026-45350). Confidential information can be exposed externally. Exploitable via ``tool_id``. Mitigation: upgrade to `0.8.6` or later.
CVE-2026-45349 Vulnerability in open-webui (CVE-2026-45349)
vulnerability in open-webui (CVE-2026-45349). Confidential information can be exposed externally. Exploitable via ``chat_completion``. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-45347 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-45347)
SSRF in open-webui (CVE-2026-45347). Risk of unauthorized operations or information disclosure. Exploitable via `POST /api/v1/utils/pdf`. Mitigation: upgrade to `0.5.11` or later.
CVE-2026-45346 Vulnerability in open-webui (CVE-2026-45346)
vulnerability in open-webui (CVE-2026-45346). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `0.6.31` or later.
CVE-2026-45345 Vulnerability in open-webui (CVE-2026-45345)
vulnerability in open-webui (CVE-2026-45345). Data can be tampered with by attackers. Exploitable via `POST /api/v1/models/model/update`. Mitigation: upgrade to `0.5.7` or later.
CVE-2026-45339 Authorization Flaw in open-webu (CVE-2026-45339)
vulnerability in open-webu (CVE-2026-45339). Confidential information can be exposed externally. Exploitable via `Authorization header`. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-45338 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-45338)
SSRF in open-webui (CVE-2026-45338). Confidential information can be exposed externally. Exploitable via ``picture``. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-45331 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-45331)
SSRF in open-webui (CVE-2026-45331). Confidential information can be exposed externally. Exploitable via ``validators``. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-45317 Vulnerability in open-webui (CVE-2026-45317)
vulnerability in open-webui (CVE-2026-45317). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `0.9.3` or later.
CVE-2026-45318 Cross-Site Scripting (XSS) in open-webui (CVE-2026-45318)
cross-site scripting in open-webui (CVE-2026-45318). Risk of unauthorized operations or information disclosure. Exploitable via ``fileOfficeHtml``. Mitigation: upgrade to `0.8.0` or later.
CVE-2026-45316 Authorization Flaw in open-webui (CVE-2026-45316)
vulnerability in open-webui (CVE-2026-45316). Risk of unauthorized operations or information disclosure. Exploitable via `POST /api/v1/notes/{id}/pin`. Mitigation: upgrade to `0.9.3` or later.
CVE-2026-45314 Vulnerability in open-webui (CVE-2026-45314)
vulnerability in open-webui (CVE-2026-45314). Risk of unauthorized operations or information disclosure. Exploitable via `GET /api/v1/channels/webhooks/{webhook_id}/profile/image`. Mitigation: upgrade to `0.9.3` or later.
CVE-2026-45315 Unrestricted File Upload in open-webui (CVE-2026-45315)
vulnerability in open-webui (CVE-2026-45315). Confidential information can be exposed externally. Mitigation: upgrade to `0.9.3` or later.
CVE-2026-45303 Cross-Site Scripting (XSS) in open-webui (CVE-2026-45303)
cross-site scripting in open-webui (CVE-2026-45303). Confidential information can be exposed externally. Exploitable via ``High``. Mitigation: upgrade to `0.6.5` or later.
CVE-2026-45301 Vulnerability in open-webui (CVE-2026-45301)
vulnerability in open-webui (CVE-2026-45301). Confidential information can be exposed externally. Exploitable via ``user_id``. Mitigation: upgrade to `0.3.16` or later.

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →