| CVE-2026-44566 |
critical |
9.8 |
9.8 |
|
|
|
13d ago |
Open WebUI Vulnerable to Arbitrary File Upload and Path Traversal |
| CVE-2026-44551 |
critical |
9.1 |
9.1 |
|
|
|
20d ago |
Open WebUI has an LDAP Empty Password Authentication Bypass |
| CVE-2026-45672 |
high |
8.8 |
8.8 |
|
|
|
14d ago |
Open WebUI: Jupyter code execution works despite `ENABLE_CODE_EXECUTION=false` — feature gate bypassed |
| CVE-2026-45315 |
high |
8.7 |
8.7 |
|
|
|
13d ago |
Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions |
| CVE-2026-44549 |
high |
8.7 |
8.7 |
|
|
|
13d ago |
Open WebUI has stored XSS in Excel file preview |
| CVE-2026-44552 |
high |
8.7 |
8.7 |
|
|
|
20d ago |
Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning |
| CVE-2026-45401 |
high |
8.5 |
8.5 |
|
|
|
13d ago |
Open WebUI has a SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints (not addressed by CVE-2025-65958) |
| CVE-2026-45400 |
high |
8.5 |
8.5 |
|
|
|
13d ago |
Open WebUI has a Server-Side Request Forgery (SSRF) bypass in `validate_url` |
| CVE-2026-45331 |
high |
8.5 |
8.5 |
|
|
|
14d ago |
Open WebUI has a full SSRF Vulnerability in the RAG Web Search Feature |
| CVE-2026-44570 |
high |
8.3 |
8.3 |
|
|
|
13d ago |
Open WebUI has inconsistent authorization controls within memories API |
| CVE-2026-45301 |
high |
8.1 |
8.1 |
|
|
|
13d ago |
Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file |
| CVE-2026-44565 |
high |
8.1 |
8.1 |
|
|
|
13d ago |
Open WebUI Arbitrary File Write, Delete via Path Traversal |
| CVE-2026-45402 |
high |
8.1 |
8.1 |
|
|
|
13d ago |
Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints |
| CVE-2026-45675 |
high |
8.1 |
8.1 |
|
|
|
13d ago |
Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts |
| CVE-2026-44554 |
high |
8.1 |
8.1 |
|
|
|
13d ago |
Open WebUI has Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite |
| CVE-2026-44553 |
high |
8.1 |
8.1 |
|
|
|
20d ago |
Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access |
| CVE-2026-45671 |
high |
8.0 |
8.0 |
|
|
|
14d ago |
Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion |
| CVE-2026-45338 |
high |
7.7 |
7.7 |
|
|
|
14d ago |
Open WebUI Vulnerable to SSRF via OAuth Profile Picture URL in _process_picture_url (oauth.py) |
| CVE-2026-45303 |
high |
7.7 |
7.7 |
|
|
|
14d ago |
Open WebUI has stored XSS via the HTML renedering view |
| CVE-2026-44555 |
high |
7.6 |
7.6 |
|
|
|
13d ago |
Open WebUI's Base Model Routing Bypasses Access Control via Model Chaining |
| CVE-2026-45398 |
high |
7.5 |
7.5 |
|
|
|
14d ago |
Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls |
| CVE-2026-44721 |
high |
7.3 |
7.3 |
|
|
|
13d ago |
open-webui Vulnerable to Stored XSS via Model Description |
| CVE-2026-44567 |
high |
7.3 |
7.3 |
|
|
|
20d ago |
Open WebUI has Improper Authorization Control |
| CVE-2026-44569 |
high |
7.1 |
7.1 |
|
|
|
13d ago |
Open WebUI's Insecure Message Access Breaks Authorization |
| CVE-2026-45399 |
high |
7.1 |
7.1 |
|
|
|
13d ago |
Open WebUI: Low-privilege authenticated users can enumerate and stop global background tasks, causing system-wide chat disruption |
| CVE-2026-45349 |
high |
7.1 |
7.1 |
|
|
|
13d ago |
Open WebUI has Broken Access Control for Completions API |
| CVE-2026-44556 |
high |
7.1 |
7.1 |
|
|
|
13d ago |
Open WebUI's responses passthrough endpoint lacks access control authorization |
| CVE-2026-45350 |
high |
7.1 |
7.1 |
|
|
|
14d ago |
Open WebUI's chat completion API allows tool restrictions to be bypassed |
| CVE-2026-45667 |
medium |
6.5 |
6.5 |
|
|
|
13d ago |
Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS) |
| CVE-2026-45666 |
medium |
6.5 |
6.5 |
|
|
|
13d ago |
Open WebUI has an Indirect Object Reference (IDOR) in user notes |
| CVE-2026-45351 |
medium |
6.5 |
6.5 |
|
|
|
13d ago |
Open WebUI Exposes System Prompt to Regular User [Non-Admin] |
| CVE-2026-45345 |
medium |
6.5 |
6.5 |
|
|
|
13d ago |
Open WebUI missing authorization check at the model update function - models from other users can be updated |
| CVE-2026-44571 |
medium |
6.5 |
6.5 |
|
|
|
13d ago |
Open WebUI's Improper Authorization in Standard Channels Allows Message Updates with Read Permission |
| CVE-2026-44562 |
medium |
6.5 |
6.5 |
|
|
|
13d ago |
Open WebUI's Model Import Overwrites Any Model Without Ownership Check |
| CVE-2026-44560 |
medium |
6.5 |
6.5 |
|
|
|
13d ago |
Open WebUI has Unauthorized File and Knowledge Base Content Access via RAG Vector Search |
| CVE-2026-45314 |
medium |
6.1 |
6.1 |
|
|
|
14d ago |
Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image |
| CVE-2026-45365 |
medium |
5.4 |
5.4 |
|
|
|
13d ago |
Open WebUI: Authenticated users can bypass model access control via exposed query parameter [AI-ASSISTED] |
| CVE-2026-45347 |
medium |
5.4 |
5.4 |
|
|
|
13d ago |
Open WebUI vulnerable to blind server side request forgery (SSRF) via the PDF generate function |
| CVE-2026-45318 |
medium |
5.4 |
5.4 |
|
|
|
13d ago |
Open WebUI has stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without DOMPurify) |
| CVE-2026-45396 |
medium |
5.4 |
5.4 |
|
|
|
13d ago |
Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation |
| CVE-2026-44564 |
medium |
5.4 |
5.4 |
|
|
|
13d ago |
Read-Only Open WebUI Users Can Modify Collaborative Documents via Socket.IO |
| CVE-2026-44563 |
medium |
5.4 |
5.4 |
|
|
|
13d ago |
Open WebUI's Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show |
| CVE-2026-44561 |
medium |
5.4 |
5.4 |
|
|
|
13d ago |
Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels |
| CVE-2026-44558 |
medium |
5.4 |
5.4 |
|
|
|
13d ago |
Open WebUI's Channel Access Grants Bypass filter_allowed_access_grants |
| CVE-2026-45299 |
medium |
5.4 |
5.4 |
|
|
|
14d ago |
Open WebUI has Stored Cross-Site Scripting In Profile Picture |
| CVE-2026-45397 |
medium |
5.3 |
5.3 |
|
|
|
14d ago |
Open WebUI Vulnerable to Unauthenticated RAG Configuration Disclosure |
| CVE-2026-44550 |
medium |
5.0 |
5.0 |
|
|
|
13d ago |
Open WebUI's Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts |
| CVE-2026-44568 |
medium |
4.8 |
4.8 |
|
|
|
13d ago |
Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order |
| CVE-2026-45317 |
medium |
4.6 |
4.6 |
|
|
|
13d ago |
Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF) via Image URL Manipulation |
| CVE-2026-45387 |
medium |
4.3 |
4.3 |
|
|
|
13d ago |
Open WebUI: Sharing models for others to use (read permission) also exposes model details (system prompt leakage) |
| CVE-2026-45385 |
medium |
4.3 |
4.3 |
|
|
|
13d ago |
Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint |
| CVE-2026-44559 |
medium |
4.3 |
4.3 |
|
|
|
13d ago |
Open WebUI Missing Access Check on Channel Members Endpoint for Standard Channels |
| CVE-2026-45386 |
medium |
4.3 |
4.3 |
|
|
|
14d ago |
Open WebUI has an IDOR vulnerability in the pin_channel_message API endpoint |
| CVE-2026-44557 |
medium |
4.3 |
4.3 |
|
|
|
20d ago |
Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection |
| CVE-2026-45316 |
low |
3.5 |
3.5 |
|
|
|
13d ago |
Open WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via Read-Only Access) |