open-webui
PyPI99 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting open-webuipage 1 of 2
- CVE-2024-12534HIGHCVSS 7.5EG 7.52025-03-20
vulnerable: 0.1.124 ... 0.3.9 (50 versions)
In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during the sign-in process due to the lack of character length validation on these inputs. This vulnerabili…
- CVE-2024-12537HIGHCVSS 7.5EG 7.52025-03-20
vulnerable: 0.1.124 ... 0.3.9 (50 versions)
In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the `api/v1/utils/code/format` endpoint. If a malicious actor sends a POST request with an excessively high …
- CVE-2024-6706MEDIUMCVSS 6.1EG 6.12024-08-07
Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page.
- CVE-2024-7033HIGHCVSS 7.2EG 6.52025-03-20
vulnerable: 0.1.124 ... 0.3.8 (17 versions)
In version 0.3.8 of open-webui/open-webui, an arbitrary file write vulnerability exists in the download_model endpoint. When deployed on Windows, the application improperly handles file paths, allowing an attacker to manipulate the file pa…
- CVE-2024-7034HIGHCVSS 7.2EG 6.52025-03-20
vulnerable: 0.1.124 ... 0.3.8 (17 versions)
In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handling of user-supplied filenames. The vulnerability arises from the usage of `file_path = f"{UPLOAD_DIR}/{file.filename}"` …
- CVE-2024-7035MEDIUMCVSS 6.9EG 6.92025-03-20
vulnerable: 0.1.124 ... 0.3.8 (17 versions)
In version v0.3.8 of open-webui/open-webui, sensitive actions such as deleting and resetting are performed using the GET method. This vulnerability allows an attacker to perform Cross-Site Request Forgery (CSRF) attacks, where an unaware u…
- CVE-2024-7036HIGHCVSS 7.5EG 7.52025-03-20
vulnerable: 0.1.124 ... 0.3.8 (17 versions)
A vulnerability in open-webui/open-webui v0.3.8 allows an unauthenticated attacker to sign up with excessively large text in the 'name' field, causing the Admin panel to become unresponsive. This prevents administrators from performing ess…
- CVE-2024-7037HIGHCVSS 7.2EG 6.52024-10-09
vulnerable: 0.1.124 ... 0.3.8 (21 versions)
In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHE_DIR. This vulnerability allows attackers to overwrite…
- CVE-2024-7038LOWCVSS 2.7EG 2.72024-10-09
vulnerable: 0.1.124 ... 0.3.8 (21 versions)
An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists a…
- CVE-2024-7039MEDIUMCVSS 6.7EG 8.32025-03-20
vulnerable: 0.1.124 ... 0.3.8 (17 versions)
In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint `http://0.0.0.0:8080/api/v1/users…
- CVE-2024-7041MEDIUMCVSS 6.5EG 6.52024-10-09
vulnerable: 0.1.124 ... 0.3.8 (17 versions)
An Insecure Direct Object Reference (IDOR) vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint `http://0.0.0.0:3000/api/v1/memories/{id}/update`, where the decentralization design is f…
- CVE-2024-7043HIGHCVSS 8.8EG 8.12025-03-20
vulnerable: 0.1.124 ... 0.3.8 (17 versions)
An improper access control vulnerability in open-webui/open-webui v0.3.8 allows attackers to view and delete any files. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the GE…
- CVE-2024-7044HIGHCVSS 8.9EG 6.82025-03-20
vulnerable: 0.1.124 ... 0.3.8 (17 versions)
A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui version 0.3.8. An attacker can inject malicious content into a file, which, when accessed by a victim through a URL or …
- CVE-2024-7045MEDIUMCVSS 4.3EG 4.32025-03-20
vulnerable: 0.1.124 ... 0.3.8 (17 versions)
In version v0.3.8 of open-webui/open-webui, improper access control vulnerabilities allow an attacker to view any prompts. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the…
- CVE-2024-7046MEDIUMCVSS 4.3EG 4.32025-03-20
vulnerable: 0.1.124 ... 0.3.8 (17 versions)
An improper access control vulnerability in open-webui/open-webui v0.3.8 allows an attacker to view admin details. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the /api/v1…
- CVE-2024-7053CRITICALCVSS 9.0EG 7.62025-03-20
vulnerable: 0.1.124 ... 0.3.8 (17 versions)
A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. The session cookie for all users is set with the default `SameSite=Lax` and does not have the `Secure…
- CVE-2024-7806HIGHCVSS 8.8EG 8.8✓ Fixed in 0.3.332025-03-20
vulnerable: 0.1.124 ... 0.3.9 (51 versions)
A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and la…
- CVE-2024-7959HIGHCVSS 7.7EG 7.72025-03-20
vulnerable: 0.1.124 ... 0.3.8 (17 versions)
The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF). An attacker can change the OpenAI URL to any URL without checks, causing the endpoint to send a request to the specif…
- CVE-2024-7983HIGHCVSS 7.5EG 7.52025-03-20
vulnerable: 0.1.124 ... 0.3.8 (17 versions)
In version 0.3.8 of open-webui, an endpoint for converting markdown to HTML is exposed without authentication. A maliciously crafted markdown payload can cause the server to spend excessive time converting it, leading to a denial of servic…
- CVE-2024-7990HIGHCVSS 8.4EG 8.42025-03-20
vulnerable: 0.1.124 ... 0.3.8 (17 versions)
A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the `/api/v1/models/add` endpoint, where the model description field is improperly sanitized before being rend…
- CVE-2024-8053HIGHCVSS 8.2EG 7.52025-03-20
vulnerable: 0.1.124 ... 0.3.9 (19 versions)
In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing unauthenticated attackers to access the PDF generation service. This vulnerability can be exploited by sending a POST re…
- CVE-2024-8060HIGHCVSS 8.1EG 8.1✓ Fixed in 0.5.172025-03-20
vulnerable: 0.1.124 ... 0.5.9 (86 versions)
OpenWebUI version 0.3.0 contains a vulnerability in the audio API endpoint `/audio/api/v1/transcriptions` that allows for arbitrary file upload. The application performs insufficient validation on the `file.content_type` and allows user-co…
- CVE-2025-63681MEDIUMCVSS 4.3EG 4.32025-12-04
vulnerable: 0.1.124 ... 0.6.9 (125 versions)
open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks.
- CVE-2025-64495MEDIUMCVSS 5.4EG 8.7✓ Fixed in 0.6.352025-11-08
vulnerable: 0.1.124 ... 0.6.9 (126 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. In versions 0.6.34 and below, the functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Promp…
- CVE-2025-64496HIGHCVSS 8.0EG 7.3✓ Fixed in 0.6.352025-11-08
vulnerable: 0.1.124 ... 0.6.9 (126 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model ser…
- CVE-2025-65958HIGHCVSS 7.1EG 8.5✓ Fixed in 0.6.372025-12-04
vulnerable: 0.1.124 ... 0.6.9 (128 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make …
- CVE-2026-26192HIGHCVSS 7.3EG 7.3✓ Fixed in 0.7.02026-07-07
vulnerable: 0.1.124 ... 0.6.9 (135 versions)
Open WebUI vulnerable to Stored XSS via iFrame in citations model ### Summary Manually modifying chat history allows setting the `html` property within document metadata. This causes the frontend to enter a code path that treats document …
- CVE-2026-34222HIGHCVSS 7.7EG 7.7✓ Fixed in 0.8.112026-04-01
vulnerable: 0.1.124 ... 0.8.9 (149 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.11, there is a broken access control vulnerability in tool values. This issue has been patched in version 0.8.11.
- CVE-2026-44549HIGHCVSS 7.3EG 7.3✓ Fixed in 0.8.02026-05-15
vulnerable: 0.1.124 ... 0.7.2 (138 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function…
- CVE-2026-44550MEDIUMCVSS 5.0EG 5.0✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, FolderForm uses model_config = ConfigDict(extra='allow'), which permits arbitrary fields to pass through Pydantic validation…
- CVE-2026-44551CRITICALCVSS 9.1EG 9.1✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP authentication endpoint does not validate that the submitted password is non-empty before performing a Simple Bind …
- CVE-2026-44552HIGHCVSS 8.7EG 8.7✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the tool_servers and terminal_servers keys in utils/tools.py do use a prefix. When two or more Open WebUI instances share a …
- CVE-2026-44553HIGHCVSS 8.1EG 8.1✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a u…
- CVE-2026-44554HIGHCVSS 8.1EG 8.1✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collection_name and an overwrite query parameter (de…
- CVE-2026-44555HIGHCVSS 7.6EG 7.6✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI supports model composition via base_model_id: a user-defined model (e.g., "Cheap Assistant") can reference an exi…
- CVE-2026-44556HIGHCVSS 7.1EG 7.1✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /responses endpoint in the OpenAI router accepts any authenticated user and forwards requests directly to upstream LLM p…
- CVE-2026-44557MEDIUMCVSS 4.3EG 4.3✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the _validate_collection_access function uses an incomplete allowlist that only enforces ownership checks for collections ma…
- CVE-2026-44558MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the channel router does not call filter_allowed_access_grants on either create or update paths. A non-admin user who can cre…
- CVE-2026-44559MEDIUMCVSS 4.3EG 4.3✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the GET /api/v1/channels/{id}/members endpoint only checks membership for group and dm channel types (lines 467-469). For st…
- CVE-2026-44560MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the type: "file" (non-full-context), type: "text" with collection_name, and bare collection_name/collection_names paths in t…
- CVE-2026-44561MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the is_user_channel_member function checks whether a ChannelMember row exists but does not check the is_active field. When a…
- CVE-2026-44562MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/models/import endpoint allows users with the workspace.models_import permission to overwrite any existing m…
- CVE-2026-44563MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /api/generate, /api/embed, /api/embeddings, and /api/show endpoints accept any model name from the user and forward the …
- CVE-2026-44564MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the ydoc:document:update Socket.IO event handler checks whether the sender is a member of the document's Socket.IO room (lin…
- CVE-2026-44565HIGHCVSS 8.1EG 8.1✓ Fixed in 0.6.102026-05-15
vulnerable: 0.1.124 ... 0.6.9 (101 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.10, when uploading an audio file, the name of the file is derived from the original HTTP upload request and is not validated or…
- CVE-2026-44566HIGHCVSS 7.3EG 7.3✓ Fixed in 0.1.1242026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, when attaching files to a promp, the name of the file is derived from the original HTTP upload request and is not validate…
- CVE-2026-44567HIGHCVSS 7.3EG 7.3✓ Fixed in 0.1.1242026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is confi…
- CVE-2026-44568MEDIUMCVSS 4.8EG 4.8✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse() inside …
- CVE-2026-44569HIGHCVSS 7.1EG 7.1✓ Fixed in 0.6.192026-05-15
vulnerable: 0.1.124 ... 0.6.9 (109 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, there's an IDOR in the channels message management system that allows authenticated users to modify or delete any message w…
- CVE-2026-44570HIGHCVSS 8.3EG 8.3✓ Fixed in 0.6.192026-05-15
vulnerable: 0.1.124 ... 0.6.9 (109 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, authorization controls surrounding the memories API were inconsistent, resulting in the ability of a standard user to delet…
Check whether open-webui is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for open-webui CVEs against the assets you own.
Start Free Scan →