Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    216 vulnerabilities found for open-webui by open-webui

    CVE-2026-59221 (GCVE-0-2026-59221)

    Vulnerability from nvd – Published: 2026-07-09 17:13 – Updated: 2026-07-09 18:09
    VLAI
    Title
    open-webui terminal proxy path traversal guard bypass via 9x encoded traversal
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _sanitize_proxy_path in backend/open_webui/routers/terminals.py decoded proxy paths only eight times, allowing a nine-times percent-encoded ../ traversal value to pass normalization checks and be decoded by the upstream terminal server. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: >= 0.9.6, < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59221",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T18:09:16.352793Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T18:09:19.712Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-frvj-c5qp-xj4w"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.9.6, \u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _sanitize_proxy_path in backend/open_webui/routers/terminals.py decoded proxy paths only eight times, allowing a nine-times percent-encoded ../ traversal value to pass normalization checks and be decoded by the upstream terminal server. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T17:13:36.193Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-frvj-c5qp-xj4w",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-frvj-c5qp-xj4w"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/26050",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/26050"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/05098d25a58d03738e01c4e85e8852c3b4ad849c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/05098d25a58d03738e01c4e85e8852c3b4ad849c"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-frvj-c5qp-xj4w",
            "discovery": "UNKNOWN"
          },
          "title": "open-webui terminal proxy path traversal guard bypass via 9x encoded traversal"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59221",
        "datePublished": "2026-07-09T17:13:36.193Z",
        "dateReserved": "2026-07-02T21:05:02.925Z",
        "dateUpdated": "2026-07-09T18:09:19.712Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59715 (GCVE-0-2026-59715)

    Vulnerability from nvd – Published: 2026-07-09 16:16 – Updated: 2026-07-09 17:29
    VLAI
    Title
    Open WebUI: Unauthenticated WebSocket Access to Collaborative Document Handlers (ydoc:awareness:update, ydoc:document:leave)
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.16 before 0.10.0, the Socket.IO server is configured with always_connect=True. The ydoc:awareness:update and ydoc:document:leave Socket.IO handlers accepted collaborative-document events without requiring an authenticated user, allowing unauthorized manipulation of document collaboration state. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: >= 0.6.16, < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59715",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T17:29:40.961598Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T17:29:46.103Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gmfw-g93r-vg53"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.6.16, \u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.16 before 0.10.0, the Socket.IO server is configured with always_connect=True. The ydoc:awareness:update and ydoc:document:leave Socket.IO handlers accepted collaborative-document events without requiring an authenticated user, allowing unauthorized manipulation of document collaboration state. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306: Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T16:16:02.977Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gmfw-g93r-vg53",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gmfw-g93r-vg53"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/25946",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/25946"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/22f2fe1ffb66c993dad1e0b2b35514acaed2370e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/22f2fe1ffb66c993dad1e0b2b35514acaed2370e"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-gmfw-g93r-vg53",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Unauthenticated WebSocket Access to Collaborative Document Handlers (ydoc:awareness:update, ydoc:document:leave)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59715",
        "datePublished": "2026-07-09T16:16:02.977Z",
        "dateReserved": "2026-07-06T15:34:16.916Z",
        "dateUpdated": "2026-07-09T17:29:46.103Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59227 (GCVE-0-2026-59227)

    Vulnerability from nvd – Published: 2026-07-09 15:56 – Updated: 2026-07-09 15:56
    VLAI
    Title
    Open WebUI: POST /api/v1/images/edit bypasses the global image-edit switch and the per-user image-generation permission
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.11 before 0.10.0, POST /api/v1/images/edit required only a verified account and did not enforce the global image-edit switch or the per-user image-generation permission, allowing a non-admin user to invoke server-side image editing with administrator-configured provider credentials. This issue is fixed in version 0.10.0.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: >= 0.8.11, < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.8.11, \u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.11 before 0.10.0, POST /api/v1/images/edit required only a verified account and did not enforce the global image-edit switch or the per-user image-generation permission, allowing a non-admin user to invoke server-side image editing with administrator-configured provider credentials. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T15:56:44.042Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-rqj7-6wrp-6g2g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-rqj7-6wrp-6g2g"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/26009",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/26009"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/e038bab66dec8d17212eec35b5cb6d6b785a4200",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/e038bab66dec8d17212eec35b5cb6d6b785a4200"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-rqj7-6wrp-6g2g",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: POST /api/v1/images/edit bypasses the global image-edit switch and the per-user image-generation permission"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59227",
        "datePublished": "2026-07-09T15:56:44.042Z",
        "dateReserved": "2026-07-02T21:05:02.925Z",
        "dateUpdated": "2026-07-09T15:56:44.042Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59226 (GCVE-0-2026-59226)

    Vulnerability from nvd – Published: 2026-07-09 16:06 – Updated: 2026-07-09 18:08
    VLAI
    Title
    Open WebUI: Scheduled automations continue after pending-user deactivation and stored model ACL revocation
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0, execute_automation rehydrated automation owners without rechecking that they were still active or still had features.automations, and check_model_access only enforced private-model grants for the exact user role, allowing deactivated pending users to continue scheduled model execution. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: >= 0.9.0, < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59226",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T18:05:13.017696Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T18:08:30.890Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.9.0, \u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0, execute_automation rehydrated automation owners without rechecking that they were still active or still had features.automations, and check_model_access only enforced private-model grants for the exact user role, allowing deactivated pending users to continue scheduled model execution. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T16:06:55.927Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-mvx4-532p-xfm9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-mvx4-532p-xfm9"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/26047",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/26047"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/920b655f4689e2118de928fbc936f6ebd4fed396",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/920b655f4689e2118de928fbc936f6ebd4fed396"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-mvx4-532p-xfm9",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Scheduled automations continue after pending-user deactivation and stored model ACL revocation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59226",
        "datePublished": "2026-07-09T16:06:55.927Z",
        "dateReserved": "2026-07-02T21:05:02.925Z",
        "dateUpdated": "2026-07-09T18:08:30.890Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59225 (GCVE-0-2026-59225)

    Vulnerability from nvd – Published: 2026-07-09 17:12 – Updated: 2026-07-09 18:08
    VLAI
    Title
    Open WebUI: Arena task endpoints can bypass underlying model access controls
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The normal chat route resolves arena models before the final chat dispatch and therefore re-checks the selected underlying model. The task routes call utils.chat.generate_chat_completion() directly. In that direct path, arena fallback resolution happens after the wrapper access check and then recurses with bypass_filter=True, skipping the selected submodel's access check. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: >= 0.8.12, < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59225",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T17:50:11.589065Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T18:08:12.064Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.8.12, \u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The normal chat route resolves arena models before the final chat dispatch and therefore re-checks the selected underlying model. The task routes call utils.chat.generate_chat_completion() directly. In that direct path, arena fallback resolution happens after the wrapper access check and then recurses with bypass_filter=True, skipping the selected submodel\u0027s access check. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T17:12:14.141Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-m3qf-58wf-w979",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-m3qf-58wf-w979"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/26046",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/26046"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/dc4924b66e655b315e3be4430a3e51b7d5c20acc",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/dc4924b66e655b315e3be4430a3e51b7d5c20acc"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-m3qf-58wf-w979",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Arena task endpoints can bypass underlying model access controls"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59225",
        "datePublished": "2026-07-09T17:12:14.141Z",
        "dateReserved": "2026-07-02T21:05:02.925Z",
        "dateUpdated": "2026-07-09T18:08:12.064Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59224 (GCVE-0-2026-59224)

    Vulnerability from nvd – Published: 2026-07-09 17:09 – Updated: 2026-07-10 03:55
    VLAI
    Title
    Open WebUI: Terminal proxy forwards a spoofable, integrity-unbound user identity to the upstream (X-User-Id header and ws_terminal session_id query injection)
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query parameter, allowing query injection to make the terminal backend resolve another user identity; the HTTP proxy path also forwarded X-User-Id as an integrity-unbound identity claim. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59224",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T03:55:48.312Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query parameter, allowing query injection to make the terminal backend resolve another user identity; the HTTP proxy path also forwarded X-User-Id as an integrity-unbound identity claim. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290: Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T17:09:31.980Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-j657-m4c4-24jq",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-j657-m4c4-24jq"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/26042",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/26042"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/5f3a628a8d291bb5d33e1a0b0c89fb62a2927934",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/5f3a628a8d291bb5d33e1a0b0c89fb62a2927934"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-j657-m4c4-24jq",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Terminal proxy forwards a spoofable, integrity-unbound user identity to the upstream (X-User-Id header and ws_terminal session_id query injection)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59224",
        "datePublished": "2026-07-09T17:09:31.980Z",
        "dateReserved": "2026-07-02T21:05:02.925Z",
        "dateUpdated": "2026-07-10T03:55:48.312Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59223 (GCVE-0-2026-59223)

    Vulnerability from nvd – Published: 2026-07-09 17:00 – Updated: 2026-07-09 17:53
    VLAI
    Title
    Open WebUI: `WEB_FETCH_FILTER_LIST` host allow/block filter bypassable via URL path and non-label-boundary matching
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, WEB_FETCH_FILTER_LIST matching compared configured host entries against URL strings and non-label-boundary suffixes, allowing path-based blocklist bypasses such as !internal.example.com in a URL path and sibling-domain matches that did not reflect the intended hostname policy. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-693 - Protection Mechanism Failure
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59223",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T17:52:51.423655Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T17:53:06.003Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, WEB_FETCH_FILTER_LIST matching compared configured host entries against URL strings and non-label-boundary suffixes, allowing path-based blocklist bypasses such as !internal.example.com in a URL path and sibling-domain matches that did not reflect the intended hostname policy. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-693",
                  "description": "CWE-693: Protection Mechanism Failure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T17:00:08.976Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-qg3f-8x3j-ggf2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-qg3f-8x3j-ggf2"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/25949",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/25949"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/087878ce848a4d828012068b5997dac480f43656",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/087878ce848a4d828012068b5997dac480f43656"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-qg3f-8x3j-ggf2",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: `WEB_FETCH_FILTER_LIST` host allow/block filter bypassable via URL path and non-label-boundary matching"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59223",
        "datePublished": "2026-07-09T17:00:08.976Z",
        "dateReserved": "2026-07-02T21:05:02.925Z",
        "dateUpdated": "2026-07-09T17:53:06.003Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59222 (GCVE-0-2026-59222)

    Vulnerability from nvd – Published: 2026-07-09 16:59 – Updated: 2026-07-09 17:29
    VLAI
    Title
    Open WebUI: /api/v1/channels/{id}/members exposes full user model including sensitive credentials
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers[].key and webhook configuration, allowing a normal channel participant to retrieve other users’ sensitive settings. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: >= 0.7.0, < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59222",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T17:29:10.232667Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T17:29:39.729Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gh7p-78x6-jw6m"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.7.0, \u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers[].key and webhook configuration, allowing a normal channel participant to retrieve other users\u2019 sensitive settings. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T16:59:10.208Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gh7p-78x6-jw6m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gh7p-78x6-jw6m"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/fbcdcf146b99b5002705060a8243eee769108f9e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/fbcdcf146b99b5002705060a8243eee769108f9e"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-gh7p-78x6-jw6m",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: /api/v1/channels/{id}/members exposes full user model including sensitive credentials"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59222",
        "datePublished": "2026-07-09T16:59:10.208Z",
        "dateReserved": "2026-07-02T21:05:02.925Z",
        "dateUpdated": "2026-07-09T17:29:39.729Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59220 (GCVE-0-2026-59220)

    Vulnerability from nvd – Published: 2026-07-09 16:09 – Updated: 2026-07-09 18:45
    VLAI
    Title
    Open WebUI: ReDoS in skill-mention regexes causes whole-instance DoS on default config
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.2 before 0.10.0, the SKILL_MENTION_RE and strip_re regular expressions in backend/open_webui/utils/middleware.py parsed <$skillId|label> skill mentions with overlapping quantifiers, allowing an authenticated chat message containing <$ without a closing > to trigger quadratic backtracking and block the asyncio event loop. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: >= 0.9.2, < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59220",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T18:44:56.824119Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T18:45:06.768Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-ffpj-xv5c-p3gw"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.9.2, \u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.2 before 0.10.0, the SKILL_MENTION_RE and strip_re regular expressions in backend/open_webui/utils/middleware.py parsed \u003c$skillId|label\u003e skill mentions with overlapping quantifiers, allowing an authenticated chat message containing \u003c$ without a closing \u003e to trigger quadratic backtracking and block the asyncio event loop. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T16:09:41.127Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-ffpj-xv5c-p3gw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-ffpj-xv5c-p3gw"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/61a26722155ec6ee1b629cf8dfcf975098c18331",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/61a26722155ec6ee1b629cf8dfcf975098c18331"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-ffpj-xv5c-p3gw",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: ReDoS in skill-mention regexes causes whole-instance DoS on default config"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59220",
        "datePublished": "2026-07-09T16:09:41.127Z",
        "dateReserved": "2026-07-02T21:05:02.925Z",
        "dateUpdated": "2026-07-09T18:45:06.768Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59219 (GCVE-0-2026-59219)

    Vulnerability from nvd – Published: 2026-07-09 16:43 – Updated: 2026-07-09 17:30
    VLAI
    Title
    Open WebUI: Realtime endpoints accept Redis-revoked JWTs after signout/backchannel logout
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0 with Redis configured, Socket.IO connect, user-join, join-channels, join-note, and the terminal websocket first-message authentication used decode_token without the Redis-backed is_valid_token revocation check, allowing revoked JWTs to continue authenticating realtime connections. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: >= 0.9.0, < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59219",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T17:30:33.951998Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T17:30:39.130Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-855v-hq7w-jmjw"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.9.0, \u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0 with Redis configured, Socket.IO connect, user-join, join-channels, join-note, and the terminal websocket first-message authentication used decode_token without the Redis-backed is_valid_token revocation check, allowing revoked JWTs to continue authenticating realtime connections. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613: Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T16:43:24.542Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-855v-hq7w-jmjw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-855v-hq7w-jmjw"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/33b91bd8ae8a100a5a306c91441a7d0b422c4cde",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/33b91bd8ae8a100a5a306c91441a7d0b422c4cde"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-855v-hq7w-jmjw",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Realtime endpoints accept Redis-revoked JWTs after signout/backchannel logout"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59219",
        "datePublished": "2026-07-09T16:43:24.542Z",
        "dateReserved": "2026-07-02T21:05:02.925Z",
        "dateUpdated": "2026-07-09T17:30:39.130Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59218 (GCVE-0-2026-59218)

    Vulnerability from nvd – Published: 2026-07-09 15:53 – Updated: 2026-07-09 17:50
    VLAI
    Title
    Open WebUI: Account enumeration via observable login timing discrepancy
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the /api/v1/auths/signin endpoint looked users up by email and only ran bcrypt password verification when a credential existed, making registered-account attempts measurably slower than missing-email attempts and allowing unauthenticated account enumeration. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-208 - Observable Timing Discrepancy
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59218",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T17:50:34.890081Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T17:50:41.900Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the /api/v1/auths/signin endpoint looked users up by email and only ran bcrypt password verification when a credential existed, making registered-account attempts measurably slower than missing-email attempts and allowing unauthenticated account enumeration. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-208",
                  "description": "CWE-208: Observable Timing Discrepancy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T15:53:54.653Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-7rw5-9f7q-xj36",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-7rw5-9f7q-xj36"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/26385",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/26385"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/993e74912199c66c522f08ec81abe31d76985e39",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/993e74912199c66c522f08ec81abe31d76985e39"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-7rw5-9f7q-xj36",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Account enumeration via observable login timing discrepancy"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59218",
        "datePublished": "2026-07-09T15:53:54.653Z",
        "dateReserved": "2026-07-02T21:05:02.924Z",
        "dateUpdated": "2026-07-09T17:50:41.900Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59217 (GCVE-0-2026-59217)

    Vulnerability from nvd – Published: 2026-07-09 16:51 – Updated: 2026-07-09 16:51
    VLAI
    Title
    Open WebUI: Upload `metadata.knowledge_id` bypasses the knowledge-base write-access check (read-only users can add files to KB)
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the file upload path accepted metadata.knowledge_id and auto-linked uploaded files to a target knowledge base without applying the write-access check used by /api/v1/knowledge//file/add, allowing read-only knowledge-base users to add arbitrary files. This issue is fixed in version 0.10.0.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the file upload path accepted metadata.knowledge_id and auto-linked uploaded files to a target knowledge base without applying the write-access check used by /api/v1/knowledge//file/add, allowing read-only knowledge-base users to add arbitrary files. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T16:51:32.637Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-7r7x-gjvr-448g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-7r7x-gjvr-448g"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/26001",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/26001"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/b7626f05fb92b24ab923ad81a037071ebd5623d1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/b7626f05fb92b24ab923ad81a037071ebd5623d1"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-7r7x-gjvr-448g",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Upload `metadata.knowledge_id` bypasses the knowledge-base write-access check (read-only users can add files to KB)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59217",
        "datePublished": "2026-07-09T16:51:32.637Z",
        "dateReserved": "2026-07-02T21:05:02.924Z",
        "dateUpdated": "2026-07-09T16:51:32.637Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59216 (GCVE-0-2026-59216)

    Vulnerability from nvd – Published: 2026-07-09 16:48 – Updated: 2026-07-10 03:55
    VLAI
    Title
    Open WebUI: Cross-user code-interpreter and tool execution via unvalidated Socket.IO event-caller session_id
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, get_event_call delivered execute:python and execute:tool Socket.IO events to a client-supplied session_id after checking only that the session was connected, allowing authenticated users who learned another socket ID through ydoc:document:join to run code interpreter Python or tools in that user session. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    • CWE-862 - Missing Authorization
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59216",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T03:55:47.517Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-74h3-cxq7-vc5q"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, get_event_call delivered execute:python and execute:tool Socket.IO events to a client-supplied session_id after checking only that the session was connected, allowing authenticated users who learned another socket ID through ydoc:document:join to run code interpreter Python or tools in that user session. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T16:48:55.663Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-74h3-cxq7-vc5q",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-74h3-cxq7-vc5q"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/25763",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/25763"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/386ac958144dbbbf0aa6e268070d72b681a318aa",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/386ac958144dbbbf0aa6e268070d72b681a318aa"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-74h3-cxq7-vc5q",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Cross-user code-interpreter and tool execution via unvalidated Socket.IO event-caller session_id"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59216",
        "datePublished": "2026-07-09T16:48:55.663Z",
        "dateReserved": "2026-07-02T21:05:02.924Z",
        "dateUpdated": "2026-07-10T03:55:47.517Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59215 (GCVE-0-2026-59215)

    Vulnerability from nvd – Published: 2026-07-09 16:57 – Updated: 2026-07-09 18:40
    VLAI
    Title
    Open WebUI: Private channel messages can be disclosed through cross-channel thread parent_id binding
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, channel thread parent and reply handling did not bind parent_id to the channel in the URL, allowing an authenticated user to reference a message from another private or DM channel and disclose thread context across channels. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59215",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T18:39:54.646732Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T18:40:04.871Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-73x5-h92w-xc2j"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, channel thread parent and reply handling did not bind parent_id to the channel in the URL, allowing an authenticated user to reference a message from another private or DM channel and disclose thread context across channels. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T16:57:24.325Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-73x5-h92w-xc2j",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-73x5-h92w-xc2j"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/25766",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/25766"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/a66477b7104c5d141ce7bffaea424b43e7666ef1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/a66477b7104c5d141ce7bffaea424b43e7666ef1"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-73x5-h92w-xc2j",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Private channel messages can be disclosed through cross-channel thread parent_id binding"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59215",
        "datePublished": "2026-07-09T16:57:24.325Z",
        "dateReserved": "2026-07-02T21:05:02.924Z",
        "dateUpdated": "2026-07-09T18:40:04.871Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59214 (GCVE-0-2026-59214)

    Vulnerability from nvd – Published: 2026-07-09 15:51 – Updated: 2026-07-09 17:13
    VLAI
    Title
    Open WebUI: Stored web worker XSS via Pyodide
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, Open WebUI runs client-side Python with Pyodide in a same-origin web worker, allowing stored chat payloads that use pyodide.http.pyfetch or the js module fetch and XMLHttpRequest APIs to issue authenticated same-origin requests when a victim clicks Run, which can reach admin-only endpoints and execute server-side code through configured tools. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59214",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T17:12:24.665545Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T17:13:10.879Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, Open WebUI runs client-side Python with Pyodide in a same-origin web worker, allowing stored chat payloads that use pyodide.http.pyfetch or the js module fetch and XMLHttpRequest APIs to issue authenticated same-origin requests when a victim clicks Run, which can reach admin-only endpoints and execute server-side code through configured tools. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T15:51:38.001Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4r2p-27mh-5m22",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4r2p-27mh-5m22"
            }
          ],
          "source": {
            "advisory": "GHSA-4r2p-27mh-5m22",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Stored web worker XSS via Pyodide"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59214",
        "datePublished": "2026-07-09T15:51:38.001Z",
        "dateReserved": "2026-07-02T21:05:02.924Z",
        "dateUpdated": "2026-07-09T17:13:10.879Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59213 (GCVE-0-2026-59213)

    Vulnerability from nvd – Published: 2026-07-09 16:55 – Updated: 2026-07-09 17:52
    VLAI
    Title
    Open WebUI: Cross-user model-list exposure via static cache key in get_all_models (aiocache key= vs key_builder= misuse)
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, get_all_models handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of key_builder, causing permission-filtered per-user model lists to share a static cache entry and exposing one user’s model list to another caller during the TTL window. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-524 - Use of Cache Containing Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: >= 0.6.27, < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59213",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T17:52:02.458867Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T17:52:21.479Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3wp3-xxj9-5jqq"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.6.27, \u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, get_all_models handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of key_builder, causing permission-filtered per-user model lists to share a static cache entry and exposing one user\u2019s model list to another caller during the TTL window. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-524",
                  "description": "CWE-524: Use of Cache Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T16:55:00.032Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3wp3-xxj9-5jqq",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3wp3-xxj9-5jqq"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/25783",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/25783"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/0fc630b34b2899599dabffffa012afd47599aa75",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/0fc630b34b2899599dabffffa012afd47599aa75"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-3wp3-xxj9-5jqq",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Cross-user model-list exposure via static cache key in get_all_models (aiocache key= vs key_builder= misuse)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59213",
        "datePublished": "2026-07-09T16:55:00.032Z",
        "dateReserved": "2026-07-02T21:05:02.924Z",
        "dateUpdated": "2026-07-09T17:52:21.479Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59212 (GCVE-0-2026-59212)

    Vulnerability from nvd – Published: 2026-07-09 17:04 – Updated: 2026-07-09 17:21
    VLAI
    Title
    Open WebUI: Model meta.knowledge read-only file access can be upgraded to file write/delete
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _verify_knowledge_file_access only checked read access while file write and delete routes later trusted object-derived access through writable model meta.knowledge entries, allowing a user with read-only knowledge file access to upgrade to file write or delete operations. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: >= 0.9.6, < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59212",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T17:21:19.508648Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T17:21:32.128Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.9.6, \u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _verify_knowledge_file_access only checked read access while file write and delete routes later trusted object-derived access through writable model meta.knowledge entries, allowing a user with read-only knowledge file access to upgrade to file write or delete operations. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T17:04:43.488Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-2xwm-4h2q-ggfx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-2xwm-4h2q-ggfx"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/26032",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/26032"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/17df0264929514599dbcb21c6578bcdfa204b04d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/17df0264929514599dbcb21c6578bcdfa204b04d"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-2xwm-4h2q-ggfx",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Model meta.knowledge read-only file access can be upgraded to file write/delete"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59212",
        "datePublished": "2026-07-09T17:04:43.488Z",
        "dateReserved": "2026-07-02T21:05:02.924Z",
        "dateUpdated": "2026-07-09T17:21:32.128Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59221 (GCVE-0-2026-59221)

    Vulnerability from cvelistv5 – Published: 2026-07-09 17:13 – Updated: 2026-07-09 18:09
    VLAI
    Title
    open-webui terminal proxy path traversal guard bypass via 9x encoded traversal
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _sanitize_proxy_path in backend/open_webui/routers/terminals.py decoded proxy paths only eight times, allowing a nine-times percent-encoded ../ traversal value to pass normalization checks and be decoded by the upstream terminal server. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: >= 0.9.6, < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59221",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T18:09:16.352793Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T18:09:19.712Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-frvj-c5qp-xj4w"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.9.6, \u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _sanitize_proxy_path in backend/open_webui/routers/terminals.py decoded proxy paths only eight times, allowing a nine-times percent-encoded ../ traversal value to pass normalization checks and be decoded by the upstream terminal server. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T17:13:36.193Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-frvj-c5qp-xj4w",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-frvj-c5qp-xj4w"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/26050",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/26050"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/05098d25a58d03738e01c4e85e8852c3b4ad849c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/05098d25a58d03738e01c4e85e8852c3b4ad849c"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-frvj-c5qp-xj4w",
            "discovery": "UNKNOWN"
          },
          "title": "open-webui terminal proxy path traversal guard bypass via 9x encoded traversal"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59221",
        "datePublished": "2026-07-09T17:13:36.193Z",
        "dateReserved": "2026-07-02T21:05:02.925Z",
        "dateUpdated": "2026-07-09T18:09:19.712Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59225 (GCVE-0-2026-59225)

    Vulnerability from cvelistv5 – Published: 2026-07-09 17:12 – Updated: 2026-07-09 18:08
    VLAI
    Title
    Open WebUI: Arena task endpoints can bypass underlying model access controls
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The normal chat route resolves arena models before the final chat dispatch and therefore re-checks the selected underlying model. The task routes call utils.chat.generate_chat_completion() directly. In that direct path, arena fallback resolution happens after the wrapper access check and then recurses with bypass_filter=True, skipping the selected submodel's access check. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: >= 0.8.12, < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59225",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T17:50:11.589065Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T18:08:12.064Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.8.12, \u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The normal chat route resolves arena models before the final chat dispatch and therefore re-checks the selected underlying model. The task routes call utils.chat.generate_chat_completion() directly. In that direct path, arena fallback resolution happens after the wrapper access check and then recurses with bypass_filter=True, skipping the selected submodel\u0027s access check. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T17:12:14.141Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-m3qf-58wf-w979",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-m3qf-58wf-w979"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/26046",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/26046"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/dc4924b66e655b315e3be4430a3e51b7d5c20acc",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/dc4924b66e655b315e3be4430a3e51b7d5c20acc"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-m3qf-58wf-w979",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Arena task endpoints can bypass underlying model access controls"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59225",
        "datePublished": "2026-07-09T17:12:14.141Z",
        "dateReserved": "2026-07-02T21:05:02.925Z",
        "dateUpdated": "2026-07-09T18:08:12.064Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59224 (GCVE-0-2026-59224)

    Vulnerability from cvelistv5 – Published: 2026-07-09 17:09 – Updated: 2026-07-10 03:55
    VLAI
    Title
    Open WebUI: Terminal proxy forwards a spoofable, integrity-unbound user identity to the upstream (X-User-Id header and ws_terminal session_id query injection)
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query parameter, allowing query injection to make the terminal backend resolve another user identity; the HTTP proxy path also forwarded X-User-Id as an integrity-unbound identity claim. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59224",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T03:55:48.312Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query parameter, allowing query injection to make the terminal backend resolve another user identity; the HTTP proxy path also forwarded X-User-Id as an integrity-unbound identity claim. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290: Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T17:09:31.980Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-j657-m4c4-24jq",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-j657-m4c4-24jq"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/26042",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/26042"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/5f3a628a8d291bb5d33e1a0b0c89fb62a2927934",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/5f3a628a8d291bb5d33e1a0b0c89fb62a2927934"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-j657-m4c4-24jq",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Terminal proxy forwards a spoofable, integrity-unbound user identity to the upstream (X-User-Id header and ws_terminal session_id query injection)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59224",
        "datePublished": "2026-07-09T17:09:31.980Z",
        "dateReserved": "2026-07-02T21:05:02.925Z",
        "dateUpdated": "2026-07-10T03:55:48.312Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59212 (GCVE-0-2026-59212)

    Vulnerability from cvelistv5 – Published: 2026-07-09 17:04 – Updated: 2026-07-09 17:21
    VLAI
    Title
    Open WebUI: Model meta.knowledge read-only file access can be upgraded to file write/delete
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _verify_knowledge_file_access only checked read access while file write and delete routes later trusted object-derived access through writable model meta.knowledge entries, allowing a user with read-only knowledge file access to upgrade to file write or delete operations. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: >= 0.9.6, < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59212",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T17:21:19.508648Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T17:21:32.128Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.9.6, \u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _verify_knowledge_file_access only checked read access while file write and delete routes later trusted object-derived access through writable model meta.knowledge entries, allowing a user with read-only knowledge file access to upgrade to file write or delete operations. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T17:04:43.488Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-2xwm-4h2q-ggfx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-2xwm-4h2q-ggfx"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/26032",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/26032"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/17df0264929514599dbcb21c6578bcdfa204b04d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/17df0264929514599dbcb21c6578bcdfa204b04d"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-2xwm-4h2q-ggfx",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Model meta.knowledge read-only file access can be upgraded to file write/delete"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59212",
        "datePublished": "2026-07-09T17:04:43.488Z",
        "dateReserved": "2026-07-02T21:05:02.924Z",
        "dateUpdated": "2026-07-09T17:21:32.128Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59223 (GCVE-0-2026-59223)

    Vulnerability from cvelistv5 – Published: 2026-07-09 17:00 – Updated: 2026-07-09 17:53
    VLAI
    Title
    Open WebUI: `WEB_FETCH_FILTER_LIST` host allow/block filter bypassable via URL path and non-label-boundary matching
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, WEB_FETCH_FILTER_LIST matching compared configured host entries against URL strings and non-label-boundary suffixes, allowing path-based blocklist bypasses such as !internal.example.com in a URL path and sibling-domain matches that did not reflect the intended hostname policy. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-693 - Protection Mechanism Failure
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59223",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T17:52:51.423655Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T17:53:06.003Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, WEB_FETCH_FILTER_LIST matching compared configured host entries against URL strings and non-label-boundary suffixes, allowing path-based blocklist bypasses such as !internal.example.com in a URL path and sibling-domain matches that did not reflect the intended hostname policy. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-693",
                  "description": "CWE-693: Protection Mechanism Failure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T17:00:08.976Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-qg3f-8x3j-ggf2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-qg3f-8x3j-ggf2"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/25949",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/25949"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/087878ce848a4d828012068b5997dac480f43656",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/087878ce848a4d828012068b5997dac480f43656"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-qg3f-8x3j-ggf2",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: `WEB_FETCH_FILTER_LIST` host allow/block filter bypassable via URL path and non-label-boundary matching"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59223",
        "datePublished": "2026-07-09T17:00:08.976Z",
        "dateReserved": "2026-07-02T21:05:02.925Z",
        "dateUpdated": "2026-07-09T17:53:06.003Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59222 (GCVE-0-2026-59222)

    Vulnerability from cvelistv5 – Published: 2026-07-09 16:59 – Updated: 2026-07-09 17:29
    VLAI
    Title
    Open WebUI: /api/v1/channels/{id}/members exposes full user model including sensitive credentials
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers[].key and webhook configuration, allowing a normal channel participant to retrieve other users’ sensitive settings. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: >= 0.7.0, < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59222",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T17:29:10.232667Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T17:29:39.729Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gh7p-78x6-jw6m"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.7.0, \u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers[].key and webhook configuration, allowing a normal channel participant to retrieve other users\u2019 sensitive settings. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T16:59:10.208Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gh7p-78x6-jw6m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gh7p-78x6-jw6m"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/fbcdcf146b99b5002705060a8243eee769108f9e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/fbcdcf146b99b5002705060a8243eee769108f9e"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-gh7p-78x6-jw6m",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: /api/v1/channels/{id}/members exposes full user model including sensitive credentials"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59222",
        "datePublished": "2026-07-09T16:59:10.208Z",
        "dateReserved": "2026-07-02T21:05:02.925Z",
        "dateUpdated": "2026-07-09T17:29:39.729Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59215 (GCVE-0-2026-59215)

    Vulnerability from cvelistv5 – Published: 2026-07-09 16:57 – Updated: 2026-07-09 18:40
    VLAI
    Title
    Open WebUI: Private channel messages can be disclosed through cross-channel thread parent_id binding
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, channel thread parent and reply handling did not bind parent_id to the channel in the URL, allowing an authenticated user to reference a message from another private or DM channel and disclose thread context across channels. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59215",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T18:39:54.646732Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T18:40:04.871Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-73x5-h92w-xc2j"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, channel thread parent and reply handling did not bind parent_id to the channel in the URL, allowing an authenticated user to reference a message from another private or DM channel and disclose thread context across channels. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T16:57:24.325Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-73x5-h92w-xc2j",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-73x5-h92w-xc2j"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/25766",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/25766"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/a66477b7104c5d141ce7bffaea424b43e7666ef1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/a66477b7104c5d141ce7bffaea424b43e7666ef1"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-73x5-h92w-xc2j",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Private channel messages can be disclosed through cross-channel thread parent_id binding"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59215",
        "datePublished": "2026-07-09T16:57:24.325Z",
        "dateReserved": "2026-07-02T21:05:02.924Z",
        "dateUpdated": "2026-07-09T18:40:04.871Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59213 (GCVE-0-2026-59213)

    Vulnerability from cvelistv5 – Published: 2026-07-09 16:55 – Updated: 2026-07-09 17:52
    VLAI
    Title
    Open WebUI: Cross-user model-list exposure via static cache key in get_all_models (aiocache key= vs key_builder= misuse)
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, get_all_models handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of key_builder, causing permission-filtered per-user model lists to share a static cache entry and exposing one user’s model list to another caller during the TTL window. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-524 - Use of Cache Containing Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: >= 0.6.27, < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59213",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T17:52:02.458867Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T17:52:21.479Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3wp3-xxj9-5jqq"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.6.27, \u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, get_all_models handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of key_builder, causing permission-filtered per-user model lists to share a static cache entry and exposing one user\u2019s model list to another caller during the TTL window. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-524",
                  "description": "CWE-524: Use of Cache Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T16:55:00.032Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3wp3-xxj9-5jqq",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3wp3-xxj9-5jqq"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/25783",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/25783"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/0fc630b34b2899599dabffffa012afd47599aa75",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/0fc630b34b2899599dabffffa012afd47599aa75"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-3wp3-xxj9-5jqq",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Cross-user model-list exposure via static cache key in get_all_models (aiocache key= vs key_builder= misuse)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59213",
        "datePublished": "2026-07-09T16:55:00.032Z",
        "dateReserved": "2026-07-02T21:05:02.924Z",
        "dateUpdated": "2026-07-09T17:52:21.479Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59217 (GCVE-0-2026-59217)

    Vulnerability from cvelistv5 – Published: 2026-07-09 16:51 – Updated: 2026-07-09 16:51
    VLAI
    Title
    Open WebUI: Upload `metadata.knowledge_id` bypasses the knowledge-base write-access check (read-only users can add files to KB)
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the file upload path accepted metadata.knowledge_id and auto-linked uploaded files to a target knowledge base without applying the write-access check used by /api/v1/knowledge//file/add, allowing read-only knowledge-base users to add arbitrary files. This issue is fixed in version 0.10.0.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the file upload path accepted metadata.knowledge_id and auto-linked uploaded files to a target knowledge base without applying the write-access check used by /api/v1/knowledge//file/add, allowing read-only knowledge-base users to add arbitrary files. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T16:51:32.637Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-7r7x-gjvr-448g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-7r7x-gjvr-448g"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/26001",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/26001"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/b7626f05fb92b24ab923ad81a037071ebd5623d1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/b7626f05fb92b24ab923ad81a037071ebd5623d1"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-7r7x-gjvr-448g",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Upload `metadata.knowledge_id` bypasses the knowledge-base write-access check (read-only users can add files to KB)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59217",
        "datePublished": "2026-07-09T16:51:32.637Z",
        "dateReserved": "2026-07-02T21:05:02.924Z",
        "dateUpdated": "2026-07-09T16:51:32.637Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59216 (GCVE-0-2026-59216)

    Vulnerability from cvelistv5 – Published: 2026-07-09 16:48 – Updated: 2026-07-10 03:55
    VLAI
    Title
    Open WebUI: Cross-user code-interpreter and tool execution via unvalidated Socket.IO event-caller session_id
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, get_event_call delivered execute:python and execute:tool Socket.IO events to a client-supplied session_id after checking only that the session was connected, allowing authenticated users who learned another socket ID through ydoc:document:join to run code interpreter Python or tools in that user session. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    • CWE-862 - Missing Authorization
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59216",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T03:55:47.517Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-74h3-cxq7-vc5q"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, get_event_call delivered execute:python and execute:tool Socket.IO events to a client-supplied session_id after checking only that the session was connected, allowing authenticated users who learned another socket ID through ydoc:document:join to run code interpreter Python or tools in that user session. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T16:48:55.663Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-74h3-cxq7-vc5q",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-74h3-cxq7-vc5q"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/25763",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/25763"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/386ac958144dbbbf0aa6e268070d72b681a318aa",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/386ac958144dbbbf0aa6e268070d72b681a318aa"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-74h3-cxq7-vc5q",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Cross-user code-interpreter and tool execution via unvalidated Socket.IO event-caller session_id"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59216",
        "datePublished": "2026-07-09T16:48:55.663Z",
        "dateReserved": "2026-07-02T21:05:02.924Z",
        "dateUpdated": "2026-07-10T03:55:47.517Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59219 (GCVE-0-2026-59219)

    Vulnerability from cvelistv5 – Published: 2026-07-09 16:43 – Updated: 2026-07-09 17:30
    VLAI
    Title
    Open WebUI: Realtime endpoints accept Redis-revoked JWTs after signout/backchannel logout
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0 with Redis configured, Socket.IO connect, user-join, join-channels, join-note, and the terminal websocket first-message authentication used decode_token without the Redis-backed is_valid_token revocation check, allowing revoked JWTs to continue authenticating realtime connections. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: >= 0.9.0, < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59219",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T17:30:33.951998Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T17:30:39.130Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-855v-hq7w-jmjw"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.9.0, \u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0 with Redis configured, Socket.IO connect, user-join, join-channels, join-note, and the terminal websocket first-message authentication used decode_token without the Redis-backed is_valid_token revocation check, allowing revoked JWTs to continue authenticating realtime connections. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613: Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T16:43:24.542Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-855v-hq7w-jmjw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-855v-hq7w-jmjw"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/33b91bd8ae8a100a5a306c91441a7d0b422c4cde",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/33b91bd8ae8a100a5a306c91441a7d0b422c4cde"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-855v-hq7w-jmjw",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Realtime endpoints accept Redis-revoked JWTs after signout/backchannel logout"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59219",
        "datePublished": "2026-07-09T16:43:24.542Z",
        "dateReserved": "2026-07-02T21:05:02.925Z",
        "dateUpdated": "2026-07-09T17:30:39.130Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59715 (GCVE-0-2026-59715)

    Vulnerability from cvelistv5 – Published: 2026-07-09 16:16 – Updated: 2026-07-09 17:29
    VLAI
    Title
    Open WebUI: Unauthenticated WebSocket Access to Collaborative Document Handlers (ydoc:awareness:update, ydoc:document:leave)
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.16 before 0.10.0, the Socket.IO server is configured with always_connect=True. The ydoc:awareness:update and ydoc:document:leave Socket.IO handlers accepted collaborative-document events without requiring an authenticated user, allowing unauthorized manipulation of document collaboration state. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: >= 0.6.16, < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59715",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T17:29:40.961598Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T17:29:46.103Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gmfw-g93r-vg53"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.6.16, \u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.16 before 0.10.0, the Socket.IO server is configured with always_connect=True. The ydoc:awareness:update and ydoc:document:leave Socket.IO handlers accepted collaborative-document events without requiring an authenticated user, allowing unauthorized manipulation of document collaboration state. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306: Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T16:16:02.977Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gmfw-g93r-vg53",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gmfw-g93r-vg53"
            },
            {
              "name": "https://github.com/open-webui/open-webui/pull/25946",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/pull/25946"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/22f2fe1ffb66c993dad1e0b2b35514acaed2370e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/22f2fe1ffb66c993dad1e0b2b35514acaed2370e"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-gmfw-g93r-vg53",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: Unauthenticated WebSocket Access to Collaborative Document Handlers (ydoc:awareness:update, ydoc:document:leave)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59715",
        "datePublished": "2026-07-09T16:16:02.977Z",
        "dateReserved": "2026-07-06T15:34:16.916Z",
        "dateUpdated": "2026-07-09T17:29:46.103Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59220 (GCVE-0-2026-59220)

    Vulnerability from cvelistv5 – Published: 2026-07-09 16:09 – Updated: 2026-07-09 18:45
    VLAI
    Title
    Open WebUI: ReDoS in skill-mention regexes causes whole-instance DoS on default config
    Summary
    Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.2 before 0.10.0, the SKILL_MENTION_RE and strip_re regular expressions in backend/open_webui/utils/middleware.py parsed <$skillId|label> skill mentions with overlapping quantifiers, allowing an authenticated chat message containing <$ without a closing > to trigger quadratic backtracking and block the asyncio event loop. This issue is fixed in version 0.10.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    Impacted products
    Vendor Product Version
    open-webui open-webui Affected: >= 0.9.2, < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59220",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T18:44:56.824119Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T18:45:06.768Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-ffpj-xv5c-p3gw"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "open-webui",
              "vendor": "open-webui",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.9.2, \u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.2 before 0.10.0, the SKILL_MENTION_RE and strip_re regular expressions in backend/open_webui/utils/middleware.py parsed \u003c$skillId|label\u003e skill mentions with overlapping quantifiers, allowing an authenticated chat message containing \u003c$ without a closing \u003e to trigger quadratic backtracking and block the asyncio event loop. This issue is fixed in version 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T16:09:41.127Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-ffpj-xv5c-p3gw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-ffpj-xv5c-p3gw"
            },
            {
              "name": "https://github.com/open-webui/open-webui/commit/61a26722155ec6ee1b629cf8dfcf975098c18331",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/commit/61a26722155ec6ee1b629cf8dfcf975098c18331"
            },
            {
              "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-ffpj-xv5c-p3gw",
            "discovery": "UNKNOWN"
          },
          "title": "Open WebUI: ReDoS in skill-mention regexes causes whole-instance DoS on default config"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59220",
        "datePublished": "2026-07-09T16:09:41.127Z",
        "dateReserved": "2026-07-02T21:05:02.925Z",
        "dateUpdated": "2026-07-09T18:45:06.768Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }