open-webui
PyPI99 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting open-webuipage 2 of 2
- CVE-2026-44571MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.8.62026-05-15
vulnerable: 0.1.124 ... 0.8.5 (144 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, in standard channels (i.e., channels whose channel.type is neither group nor dm), the endpoint POST /api/v1/channels/{channe…
- CVE-2026-44721HIGHCVSS 7.3EG 7.3✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a stored cross-site scripting (XSS) vulnerability that allows any authenticated user with model creation permission (workspa…
- CVE-2026-45299MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.8.02026-05-15
vulnerable: 0.1.124 ... 0.7.2 (138 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, the profile_image_url field on the user profile update form accepted arbitrary data: URI values without MIME-type validation…
- CVE-2026-45301HIGHCVSS 8.1EG 8.1✓ Fixed in 0.3.162026-05-15
vulnerable: 0.1.124 ... 0.3.9 (23 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.3.16, a missing permission check in all files related API endpoints allows any authenticated user to list, access and delete ever…
- CVE-2026-45303HIGHCVSS 7.7EG 7.7✓ Fixed in 0.6.52026-05-15
vulnerable: 0.1.124 ... 0.6.4 (95 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTM…
- CVE-2026-45314MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.9.32026-05-15
vulnerable: 0.1.124 ... 0.9.2 (154 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the channel webhook create/update flow accepts arbitrary profile_image_url values, including data:image/svg+xml;base64,... p…
- CVE-2026-45315HIGHCVSS 8.7EG 8.7✓ Fixed in 0.9.32026-05-15
vulnerable: 0.1.124 ... 0.9.2 (154 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the audio transcription upload endpoint takes the file extension from the user-supplied filename and saves the file under CA…
- CVE-2026-45316LOWCVSS 3.5EG 3.5✓ Fixed in 0.9.32026-05-15
vulnerable: 0.1.124 ... 0.9.2 (154 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the POST /api/v1/notes/{id}/pin endpoint performs a write operation (toggling the is_pinned field) but only checks for read …
- CVE-2026-45317MEDIUMCVSS 4.6EG 4.6✓ Fixed in 0.9.32026-05-15
vulnerable: 0.1.124 ... 0.9.2 (154 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl's image uploading functionality. An…
- CVE-2026-45318MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.9.32026-05-15
vulnerable: 0.1.124 ... 0.9.2 (154 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, his advisory tracks a regression of the original Excel-preview XSS (CVE-2026-44549). The same root cause — XLSX.utils.shee…
- CVE-2026-45331HIGHCVSS 8.5EG 8.5✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, validate_url() in backend/open_webui/retrieval/web/utils.py calls validators.ipv6(ip, private=True), but the validators libr…
- CVE-2026-45338HIGHCVSS 7.7EG 7.7✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a Server-Side Request Forgery (SSRF) vulnerability exists in _process_picture_url() in backend/open_webui/utils/oauth.py (li…
- CVE-2026-45345MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.5.72026-05-15
vulnerable: 0.1.124 ... 0.5.6 (76 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.7, a user can modify another user's model even if its visibility is set to Private. By changing the access permissions during e…
- CVE-2026-45347MEDIUMCVSS 4.3EG 4.3✓ Fixed in 0.5.112026-05-15
vulnerable: 0.1.124 ... 0.5.9 (80 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.11, there is a blind server side request forgery (SSRF) via the PDF generate function. In the PDF export, user inputs are inter…
- CVE-2026-45349HIGHCVSS 7.1EG 7.1✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a user just needs to use the API endpoint: /api/chat/completions with their own API key (generated in OWUI) and the Chat ID …
- CVE-2026-45350HIGHCVSS 7.1EG 7.1✓ Fixed in 0.8.62026-05-15
vulnerable: 0.1.124 ... 0.8.5 (144 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, there is a vulnerability in chat completion API, which allows attackers to bypass tool restrictions, potentially enabling un…
- CVE-2026-45351MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.8.92026-05-15
vulnerable: 0.1.124 ... 0.8.8 (147 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.9, when a regular user [non-admin] logs into the application, a http://IP:8080/api/models? web request is initiated by the appl…
- CVE-2026-45365MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.8.112026-05-15
vulnerable: 0.1.124 ... 0.8.9 (149 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, an internal-only bypass_filter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via…
- CVE-2026-45385MEDIUMCVSS 4.3EG 4.3✓ Fixed in 0.9.52026-05-15
vulnerable: 0.1.124 ... 0.9.4 (156 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, an IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by o…
- CVE-2026-45386MEDIUMCVSS 4.3EG 4.3✓ Fixed in 0.9.52026-05-15
vulnerable: 0.1.124 ... 0.9.4 (156 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, Pin/Unpin is a write operation (modifies the message's is_pinned , pinned_by, pinned_at fields), but in standard channels it…
- CVE-2026-45387MEDIUMCVSS 4.3EG 4.3✓ Fixed in 0.9.52026-05-15
vulnerable: 0.1.124 ... 0.9.4 (156 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, when setting model permissions so that a group has read access to it, intending for other users to use it, those users also …
- CVE-2026-45396MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.9.52026-05-15
vulnerable: 0.1.124 ... 0.9.4 (156 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the POST /api/v1/evaluations/feedback endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via FeedbackForm, which…
- CVE-2026-45397MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.9.52026-05-15
vulnerable: 0.1.124 ... 0.9.4 (156 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, GET /api/v1/retrieval/ returns live RAG pipeline configuration to any unauthenticated HTTP client. No Authorization header, …
- CVE-2026-45398HIGHCVSS 7.5EG 7.5✓ Fixed in 0.9.52026-05-15
vulnerable: 0.1.124 ... 0.9.4 (156 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, _validate_collection_access() checks the user-memory-* and file-* collection name prefixes but does not check knowledge base…
- CVE-2026-45399HIGHCVSS 7.1EG 7.1✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can enumerate active background tasks across the system and stop tasks belonging …
- CVE-2026-45400HIGHCVSS 8.5EG 8.5✓ Fixed in 0.9.52026-05-15
vulnerable: 0.1.124 ... 0.9.4 (156 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, a parsing difference between the urlparse and requests libraries led to an SSRF bypass vulnerability. This vulnerability is …
- CVE-2026-45401HIGHCVSS 8.5EG 8.5✓ Fixed in 0.9.52026-05-15
vulnerable: 0.1.124 ... 0.9.4 (156 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the validate_url() function in backend/open_webui/retrieval/web/utils.py only validates the initial URL submitted by the cal…
- CVE-2026-45402HIGHCVSS 8.1EG 8.1✓ Fixed in 0.9.52026-05-15
vulnerable: 0.1.124 ... 0.9.4 (156 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied file_id and attach the referenced file to a resource the caller controls (folder k…
- CVE-2026-45666MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.8.112026-05-15
vulnerable: 0.1.124 ... 0.8.9 (149 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, the API /api/v1/notes/{note_id} endpoint lacks proper authorization checks, allowing authenticated users to retrieve notes …
- CVE-2026-45667MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.8.02026-05-15
vulnerable: 0.1.124 ... 0.7.2 (138 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, GET /api/v1/memories/ef is accessible without authentication and executes request.app.state.EMBEDDING_FUNCTION(...). This al…
- CVE-2026-45671HIGHCVSS 8.0EG 8.0✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/{id} when the target file …
- CVE-2026-45672HIGHCVSS 8.8EG 8.8✓ Fixed in 0.8.122026-05-15
vulnerable: 0.1.124 ... 0.8.9 (150 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.12, the /api/v1/utils/code/execute endpoint executes arbitrary Python code via Jupyter for any verified user, even when the adm…
- CVE-2026-45675HIGHCVSS 8.1EG 8.1✓ Fixed in 0.9.02026-05-15
vulnerable: 0.1.124 ... 0.8.9 (151 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP and OAuth authentication flows use a TOCTOU (Time-of-Check-Time-of-Use) pattern for first-user admin role assignmen…
- CVE-2026-54006MEDIUMCVSS 4.3EG 4.3✓ Fixed in 0.9.62026-06-17
vulnerable: 0.1.124 ... 0.9.5 (157 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/v1/calendars/events/{event_id}/update validates that the caller has write access to the calendar the event current…
- CVE-2026-54007MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.9.62026-06-17
vulnerable: 0.1.124 ... 0.9.5 (157 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt…
- CVE-2026-54008HIGHCVSS 8.5EG 8.5✓ Fixed in 0.9.62026-06-17
vulnerable: 0.1.124 ... 0.9.5 (157 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, backend/open_webui/utils/oauth.py::_process_picture_url calls validate_url(picture_url) on the initial URL only, then invoke…
- CVE-2026-54009MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.9.62026-06-17
vulnerable: 0.1.124 ... 0.9.5 (157 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/chat/completions accepts an image_url.url value that, when it does NOT start with http://, https://, or data:image…
- CVE-2026-54010HIGHCVSS 8.3EG 8.3✓ Fixed in 0.9.62026-06-17
vulnerable: 0.1.124 ... 0.9.5 (157 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets an authenticated user attach arbitrary file_id values to their own chat message without checking whether the…
- CVE-2026-54011MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.9.62026-06-17
vulnerable: 0.1.124 ... 0.9.5 (157 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6,Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM us…
- CVE-2026-54012HIGHCVSS 7.1EG 7.1✓ Fixed in 0.9.62026-06-17
vulnerable: 0.1.124 ... 0.9.5 (157 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their mo…
- CVE-2026-54013HIGHCVSS 7.6EG 7.6✓ Fixed in 0.9.62026-06-17
vulnerable: 0.1.124 ... 0.9.5 (157 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI patched SVG XSS in user profile images and webhook profile images but forgot to apply the same fix to model profi…
- CVE-2026-54014MEDIUMCVSS 4.3EG 4.3✓ Fixed in 0.9.62026-06-17
vulnerable: 0.1.124 ... 0.9.5 (157 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, a path traversal vulnerability exists in open-webui's cache file serving endpoint that allows any authenticated user to read…
- CVE-2026-54015MEDIUMCVSS 6.4EG 6.4✓ Fixed in 0.9.62026-06-17
vulnerable: 0.1.124 ... 0.9.5 (157 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI's prompt version-history endpoints authorize the prompt_id in the URL but then act on caller-supplied history IDs…
- CVE-2026-54016MEDIUMCVSS 4.3EG 4.3✓ Fixed in 0.9.62026-06-17
vulnerable: 0.1.124 ... 0.9.5 (157 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI has a Broken Object Level Authorization (BOLA) vulnerability in the builtin search_knowledge_files tool. When nat…
- CVE-2026-54017HIGHCVSS 7.7EG 7.7✓ Fixed in 0.9.62026-06-17
vulnerable: 0.1.124 ... 0.9.5 (157 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the terminal-server reverse proxy in `backend/open_webui/routers/terminals.py` does not fully confine the user-controlled `p…
- CVE-2026-54018HIGHCVSS 7.7EG 7.7✓ Fixed in 0.9.62026-06-17
vulnerable: 0.1.124 ... 0.9.5 (157 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the SafePlaywrightURLLoader implements a validate_url function to prevent SSRF attacks by checking the IP address of the use…
- CVE-2026-54019MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.9.62026-06-17
vulnerable: 0.1.124 ... 0.9.5 (157 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI added collection-level ACL checks, but the patch can still be bypassed when Milvus multitenancy mode is enabled. …
- CVE-2026-54021MEDIUMCVSS 6.3EG 6.3✓ Fixed in 0.9.62026-06-17
vulnerable: 0.1.124 ... 0.9.5 (157 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, several direct, index-addressed Ollama proxy routes accept a caller-supplied url_idx path parameter and use it as a raw inde…
- CVE-2026-54022MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.8.112026-06-17
vulnerable: 0.1.124 ... 0.8.9 (149 versions)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, the ydoc:document:join Socket.IO handler checks note ownership only when the document_id starts with note: (colon). However…
Check whether open-webui is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for open-webui CVEs against the assets you own.
Start Free Scan →