pkg:PyPI/open-webui

86 total CVEsCRITICAL1HIGH44MEDIUM37LOW3

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.1CVE-2026-44551Open WebUI has an LDAP Empty Password Authentication Bypass
    from 0, < 0.9.0
  • HIGH8.8CVE-2026-45672Open WebUI: Jupyter code execution works despite `ENABLE_CODE_EXECUTION=false` — feature gate bypassed
    from 0, < 0.8.12
  • HIGH8.7CVE-2026-45315Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions
    from 0, < 0.9.3
  • HIGH8.7CVE-2026-44552Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning
    from 0, < 0.9.0
  • HIGH8.7CVE-2025-64495Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE
    from 0, < 0.6.35
  • HIGH8.5CVE-2026-45401Open WebUI has a SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints (not addressed by CVE-2025-65958)
    from 0, < 0.9.5
  • HIGH8.5CVE-2026-45400Open WebUI has a Server-Side Request Forgery (SSRF) bypass in `validate_url`
    from 0, < 0.9.5
  • HIGH8.5CVE-2026-45331Open WebUI has a full SSRF Vulnerability in the RAG Web Search Feature
    from 0, < 0.9.0
  • HIGH8.5CVE-2025-65958Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web
    from 0, < 0.6.37
  • HIGH8.4CVE-2024-7990Open WebUI stored cross-site scripting (XSS) vulnerability
    from 0, <= 0.3.8
  • HIGH8.3CVE-2026-44570Open WebUI has inconsistent authorization controls within memories API
    from 0, < 0.6.19
  • HIGH8.3CVE-2024-7039Open WebUI Allows Admin Deletion via API Endpoint
    from 0, <= 0.3.8
  • HIGH8.1CVE-2026-45675Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts
    from 0, < 0.9.0
  • HIGH8.1CVE-2026-45402Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints
    from 0, < 0.9.5
  • HIGH8.1CVE-2026-45301Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file
    from 0, < 0.3.16
  • HIGH8.1CVE-2026-44565Open WebUI Arbitrary File Write, Delete via Path Traversal
    from 0, < 0.6.10
  • HIGH8.1CVE-2026-44554Open WebUI has Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite
    from 0, < 0.9.0
  • HIGH8.1CVE-2026-44553Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access
    from 0, < 0.9.0
  • HIGH8.1CVE-2024-8060Open WebUI allows Remote Code Execution via Arbitrary File Upload to /audio/api/v1/transcriptions
    from 0, < 0.5.17
  • HIGH8.1CVE-2024-7043Open WebUI Allows Arbitrary File Reading and Deletion
    from 0, <= 0.3.8
  • HIGH8.0CVE-2026-45671Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion
    from 0, < 0.9.0
  • HIGH8.0CVE-2024-7806Open WebUI Cross-Site Request Forgery (CSRF) Vulnerability
    from 0, < 0.3.33
  • HIGH7.7CVE-2026-45338Open WebUI Vulnerable to SSRF via OAuth Profile Picture URL in _process_picture_url (oauth.py)
    from 0, < 0.9.0
  • HIGH7.7CVE-2026-45303Open WebUI has stored XSS via the HTML renedering view
    from 0, < 0.6.5
  • HIGH7.7CVE-2026-34222Open WebUI has Broken Access Control in Tool Valves
    from 0, < 0.8.11
  • HIGH7.7CVE-2024-7959Open WebUI has SSRF in /openai/models
    from 0, <= 0.3.8
  • HIGH7.6CVE-2026-44555Open WebUI's Base Model Routing Bypasses Access Control via Model Chaining
    from 0, < 0.9.0
  • HIGH7.6CVE-2024-7053Open WebUI Vulnerable to a Session Fixation Attack
    from 0, <= 0.3.8
  • HIGH7.5CVE-2026-45398Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls
    from 0, < 0.9.5
  • HIGH7.5CVE-2024-8053Open WebUI lacks authentication for the `api/v1/utils/pdf` endpoint
    from 0, <= 0.3.10
  • HIGH7.5CVE-2024-7983Open WebUI denial of service through endpoint for converting markdown
    from 0, <= 0.3.8
  • HIGH7.5CVE-2024-7036Open WebUI Uncontrolled Resource Consumption vulnerability
    from 0, <= 0.3.8
  • HIGH7.5CVE-2024-12534Open WebUI Uncontrolled Resource Consumption vulnerability
    from 0, <= 0.3.32
  • HIGH7.5CVE-2024-12537Open WebUI Uncontrolled Resource Consumption vulnerability
    from 0, <= 0.3.32
  • HIGH7.3CVE-2026-44566Open WebUI Vulnerable to Arbitrary File Upload and Path Traversal
    from 0, < 0.1.124
  • HIGH7.3CVE-2026-44567Open WebUI has Improper Authorization Control
    from 0, < 0.1.124
  • HIGH7.3CVE-2026-44549Open WebUI has stored XSS in Excel file preview
    from 0, < 0.8.0
  • HIGH7.3CVE-2026-44721open-webui Vulnerable to Stored XSS via Model Description
    from 0, < 0.9.0
  • HIGH7.3CVE-2025-64496Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
    from 0, < 0.6.35
  • HIGH7.1CVE-2026-45399Open WebUI: Low-privilege authenticated users can enumerate and stop global background tasks, causing system-wide chat disruption
    from 0, < 0.9.0
  • HIGH7.1CVE-2026-45350Open WebUI's chat completion API allows tool restrictions to be bypassed
    from 0, < 0.8.6
  • HIGH7.1CVE-2026-45349Open WebUI has Broken Access Control for Completions API
    from 0, < 0.9.0
  • HIGH7.1CVE-2026-44569Open WebUI's Insecure Message Access Breaks Authorization
    from 0, < 0.6.19
  • HIGH7.1CVE-2026-44556Open WebUI's responses passthrough endpoint lacks access control authorization
    from 0, < 0.9.0
  • HIGH7.1CVE-2026-28788Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite
    from 0, < 0.8.6
  • MEDIUM6.9CVE-2024-7035Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF)
    from 0, <= 0.3.8
  • MEDIUM6.8CVE-2024-7044Open WebUI Vulnerable to Cross-Site Scripting (XSS) via Chat File Upload
    from 0, <= 0.3.8
  • MEDIUM6.5CVE-2026-45667Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS)
    from 0, < 0.8.0
  • MEDIUM6.5CVE-2026-45666Open WebUI has an Indirect Object Reference (IDOR) in user notes
    from 0, < 0.8.11
  • MEDIUM6.5CVE-2026-45351Open WebUI Exposes System Prompt to Regular User [Non-Admin]
    from 0, < 0.8.9
  • MEDIUM6.5CVE-2026-45345Open WebUI missing authorization check at the model update function - models from other users can be updated
    from 0, < 0.5.7
  • MEDIUM6.5CVE-2026-44571Open WebUI's Improper Authorization in Standard Channels Allows Message Updates with Read Permission
    from 0, < 0.8.6
  • MEDIUM6.5CVE-2026-44560Open WebUI has Unauthorized File and Knowledge Base Content Access via RAG Vector Search
    from 0, < 0.9.0
  • MEDIUM6.5CVE-2026-44562Open WebUI's Model Import Overwrites Any Model Without Ownership Check
    from 0, < 0.9.0
  • MEDIUM6.5CVE-2024-7034Open WebUI Allows Arbitrary File Write via the `/models/upload` Endpoint
    from 0, <= 0.3.8
  • MEDIUM6.5CVE-2024-7033Open WebUI Allows Arbitrary File Write via the `download_model` Endpoint
    from 0, <= 0.3.8
  • MEDIUM6.5CVE-2024-7037open-webui allows writing and deleting arbitrary files
    from 0, <= 0.3.8
  • MEDIUM6.5CVE-2024-7041open-webui Insecure Direct Object Reference (IDOR) vulnerability
    from 0, <= 0.3.8
  • MEDIUM6.1CVE-2026-45314Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image
    from 0, < 0.9.3
  • MEDIUM6.1CVE-2024-6706Open WebUI Stored Cross-Site Scripting Vulnerability
    from 0, <= 0.1.105
  • MEDIUM5.4CVE-2026-45396Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation
    from 0, < 0.9.5
  • MEDIUM5.4CVE-2026-45365Open WebUI: Authenticated users can bypass model access control via exposed query parameter [AI-ASSISTED]
    from 0, < 0.8.11
  • MEDIUM5.4CVE-2026-45318Open WebUI has stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without DOMPurify)
    from 0, < 0.9.3
  • MEDIUM5.4CVE-2026-45299Open WebUI has Stored Cross-Site Scripting In Profile Picture
    from 0, < 0.8.0
  • MEDIUM5.4CVE-2026-44561Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels
    from 0, < 0.9.0
  • MEDIUM5.4CVE-2026-44564Read-Only Open WebUI Users Can Modify Collaborative Documents via Socket.IO
    from 0, < 0.9.0
  • MEDIUM5.4CVE-2026-44563Open WebUI's Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show
    from 0, < 0.9.0
  • MEDIUM5.4CVE-2026-44558Open WebUI's Channel Access Grants Bypass filter_allowed_access_grants
    from 0, < 0.9.0
  • MEDIUM5.4CVE-2026-29070Open WebUI has unauthorized deletion of knowledge files
    from 0, < 0.8.6
  • MEDIUM5.3CVE-2026-45397Open WebUI Vulnerable to Unauthenticated RAG Configuration Disclosure
    from 0, < 0.9.5
  • MEDIUM5.0CVE-2026-44550Open WebUI's Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts
    from 0, < 0.9.0
  • MEDIUM4.8CVE-2026-44568Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order
    from 0, < 0.9.0
  • MEDIUM4.6CVE-2026-45317Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF) via Image URL Manipulation
    from 0, < 0.9.3
  • MEDIUM4.3CVE-2026-45387Open WebUI: Sharing models for others to use (read permission) also exposes model details (system prompt leakage)
    from 0, < 0.9.5
  • MEDIUM4.3CVE-2026-45386Open WebUI has an IDOR vulnerability in the pin_channel_message API endpoint
    from 0, < 0.9.5
  • MEDIUM4.3CVE-2026-45385Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint
    from 0, < 0.9.5
  • MEDIUM4.3CVE-2026-45347Open WebUI vulnerable to blind server side request forgery (SSRF) via the PDF generate function
    from 0, < 0.5.11
  • MEDIUM4.3CVE-2026-44559Open WebUI Missing Access Check on Channel Members Endpoint for Standard Channels
    from 0, < 0.9.0
  • MEDIUM4.3CVE-2026-44557Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection
    from 0, < 0.9.0
  • MEDIUM4.3CVE-2026-28786Open WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions`
    from 0, < 0.8.6
  • MEDIUM4.3CVE-2024-7046Open WebUI Allows Viewing of Admin Details
    from 0, <= 0.3.8
  • MEDIUM4.3CVE-2024-7045Open WebUI Has Improper Access Control Leading to Arbitrary Prompt Read
    from 0, <= 0.3.8
  • LOW3.5CVE-2026-45316Open WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via Read-Only Access)
    from 0, < 0.9.3
  • LOW3.1CVE-2026-29071Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories
    from 0, < 0.8.6
  • LOW2.7CVE-2024-7038open-webui allows enumeration of file names and traversal of directories by observing the error messages
    from 0, <= 0.3.8
  • CVE-2025-63681open-webui is Vulnerable to Incorrect Access Control
    from 0, <= 0.6.33