PyPI / open-webui

Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url` (incomplete-fix sibling of CVE-2026-45401)

Modified: 6/17/2026

Open WebUI Vulnerable to SSRF via OAuth Profile Picture URL in _process_picture_url (oauth.py)

Modified: 5/19/2026

Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion

Modified: 5/16/2026

Open WebUI has unauthorized deletion of knowledge files

Modified: 3/27/2026

Open WebUI has an LDAP Empty Password Authentication Bypass

Modified: 5/16/2026

Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image

Modified: 5/19/2026

Open WebUI Allows Arbitrary File Write via the `download_model` Endpoint

Modified: 3/21/2025

Open WebUI: Cross-origin postMessage confirmation bypass via action:submit

Modified: 6/17/2026

Open WebUI vulnerable to stored XSS via OAuth picture claim stored as SVG data URI in profile_image_url

Modified: 5/14/2026

Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning

Modified: 5/16/2026

Open WebUI Vulnerable to a Session Fixation Attack

Modified: 3/21/2025

Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access

Modified: 5/16/2026

Open WebUI: Jupyter code execution works despite `ENABLE_CODE_EXECUTION=false` — feature gate bypassed

Modified: 5/16/2026

Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls

Modified: 5/16/2026

Open WebUI's chat completion API allows tool restrictions to be bypassed

Modified: 5/19/2026

Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion

Modified: 6/17/2026

Open WebUI has a full SSRF Vulnerability in the RAG Web Search Feature

Modified: 5/16/2026

Open WebUI has Improper Authorization Control

Modified: 5/19/2026

Open WebUI has stored XSS via the HTML renedering view

Modified: 5/19/2026

open-webui allows writing and deleting arbitrary files

Modified: 10/9/2024

Open WebUI Unauthenticated Multipart Boundary Denial of Service (DoS) Vulnerability

Modified: 4/15/2025

Open WebUI has an IDOR vulnerability in the pin_channel_message API endpoint

Modified: 5/16/2026

Open WebUI Stored Cross-Site Scripting Vulnerability

Modified: 8/8/2024

Open WebUI denial of service through endpoint for converting markdown

Modified: 10/16/2025

Open WebUI Vulnerable to Unauthenticated RAG Configuration Disclosure

Modified: 5/16/2026

Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection

Modified: 5/16/2026

Open WebUI has Stored Cross-Site Scripting In Profile Picture

Modified: 5/19/2026

Open WebUI Unauthenticated Multipart Boundary Denial of Service (DoS) Vulnerability in api/chat/file

Modified: 4/15/2025

Open WebUI has a CORS misconfiguration and session validation issue

Modified: 5/11/2026

Open WebUI has Broken Access Control in Tool Valves

Modified: 4/6/2026

Open WebUI has Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite

Modified: 5/16/2026

Open WebUI's Channel Access Grants Bypass filter_allowed_access_grants

Modified: 5/16/2026

Open WebUI Cross-Site Request Forgery (CSRF) Vulnerability

Modified: 3/21/2025

Open WebUI: Low-privilege authenticated users can enumerate and stop global background tasks, causing system-wide chat disruption

Modified: 5/16/2026

Open WebUI has a Server-Side Request Forgery (SSRF) bypass in `validate_url`

Modified: 5/16/2026

Open WebUI Vulnerable to Arbitrary File Upload and Path Traversal

Modified: 5/19/2026

Open WebUI lacks authentication for the `api/v1/utils/pdf` endpoint

Modified: 3/27/2025

Open WebUI's Base Model Routing Bypasses Access Control via Model Chaining

Modified: 5/16/2026

Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web

Modified: 12/5/2025

Open WebUI Has Improper Access Control Leading to Arbitrary Prompt Read

Modified: 10/16/2025

Open WebUI Missing Access Check on Channel Members Endpoint for Standard Channels

Modified: 5/16/2026

Open WebUI Uncontrolled Resource Consumption vulnerability

Modified: 4/1/2025

Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events

Modified: 11/15/2025

Open WebUI Allows Arbitrary File Write via the `/models/upload` Endpoint

Modified: 3/21/2025

Open WebUI BOLA: `search_knowledge_files` Allows Unauthorized Knowledge Base File Enumeration

Modified: 6/17/2026

Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar

Modified: 6/17/2026

Open WebUI vulnerable to blind server side request forgery (SSRF) via the PDF generate function

Modified: 5/19/2026

Open WebUI allows Remote Code Execution via Arbitrary File Upload to /audio/api/v1/transcriptions

Modified: 10/15/2025

Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order

Modified: 5/16/2026

open-webui is Vulnerable to Incorrect Access Control

Modified: 12/5/2025

Open WebUI Uncontrolled Resource Consumption vulnerability

Modified: 3/21/2025

open-webui Vulnerable to Stored XSS via Model Description

Modified: 5/16/2026

Open WebUI has Broken Access Control for Completions API

Modified: 5/16/2026

Open WebUI stored cross-site scripting (XSS) vulnerability

Modified: 3/21/2025

Open WebUI missing authorization check at the model update function - models from other users can be updated

Modified: 5/19/2026

Open WebUI Allows Viewing of Admin Details

Modified: 10/16/2025

Open WebUI: Sharing models for others to use (read permission) also exposes model details (system prompt leakage)

Modified: 5/16/2026

Open WebUI has Unauthorized File and Knowledge Base Content Access via RAG Vector Search

Modified: 5/16/2026

Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts

Modified: 5/16/2026

Open WebUI has stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without DOMPurify)

Modified: 5/19/2026

Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels

Modified: 5/16/2026

Open WebUI has inconsistent authorization controls within memories API

Modified: 5/19/2026

Open WebUI's responses passthrough endpoint lacks access control authorization

Modified: 5/16/2026

Open WebUI's Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts

Modified: 5/16/2026

Open WebUI Vulnerable to Cross-Site Scripting (XSS) via Chat File Upload

Modified: 3/21/2025

Open WebUI: Sibling-Prefix Path Traversal via /cache/{path}

Modified: 6/17/2026

Open WebUI Arbitrary File Write, Delete via Path Traversal

Modified: 5/19/2026

Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF) via Image URL Manipulation

Modified: 5/19/2026

Open WebUI's Improper Authorization in Standard Channels Allows Message Updates with Read Permission

Modified: 5/19/2026

Open WebUI Exposes System Prompt to Regular User [Non-Admin]

Modified: 5/19/2026

Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite

Modified: 3/27/2026

Open WebUI: SSRF Protection Bypass in Playwright Web Loader via HTTP Redirects

Modified: 6/17/2026

Open WebUI Allows Arbitrary File Reading and Deletion

Modified: 10/16/2025

Open WebUI has stored XSS in Excel file preview

Modified: 5/19/2026

Open WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via Read-Only Access)

Modified: 5/19/2026

Open WebUI's Insecure Message Access Breaks Authorization

Modified: 5/19/2026

Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS)

Modified: 5/19/2026

Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions

Modified: 6/2/2026

open-webui allows enumeration of file names and traversal of directories by observing the error messages

Modified: 10/15/2024

Open WebUI's Model Import Overwrites Any Model Without Ownership Check

Modified: 5/16/2026

Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode

Modified: 6/17/2026

Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF)

Modified: 3/21/2025

Open WebUI Allows Admin Deletion via API Endpoint

Modified: 10/15/2025

Open WebUI: Path traversal / SSRF in terminal server proxy via encoded path traversal

Modified: 6/17/2026

Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints

Modified: 5/16/2026

Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file

Modified: 5/19/2026

Open WebUI's Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show

Modified: 5/16/2026

Open WebUI has a SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints (not addressed by CVE-2025-65958)

Modified: 5/16/2026

Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation

Modified: 5/16/2026

Open WebUI: Stored XSS to Account Takeover via Model Profile Images

Modified: 6/17/2026

Open WebUI: Authenticated users can bypass model access control via exposed query parameter [AI-ASSISTED]

Modified: 5/19/2026

Open WebUI: Stored XSS in Mermaid Markdown Preview

Modified: 6/17/2026

Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion

Modified: 6/17/2026

Read-Only Open WebUI Users Can Modify Collaborative Documents via Socket.IO

Modified: 6/9/2026

Open WebUI: Forged chat-file link allows cross-user file read and deletion

Modified: 6/17/2026

Open WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions`

Modified: 3/27/2026

Open WebUI has vulnerable dependency on starlette via fastapi

Modified: 4/15/2025

Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE

Modified: 11/27/2025

Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories

Modified: 3/27/2026

Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field

Modified: 6/17/2026