|
861
|
5.4 |
MEDIUM
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the ydoc:document:update Socket.IO event handler checks whether the sender is a memb…
|
CWE-863
Incorrect Authorization
|
CVE-2026-44564
|
2026-05-19 12:11 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
862
|
5.4 |
MEDIUM
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /api/generate, /api/embed, /api/embeddings, and /api/show endpoints accept any m…
|
CWE-862
Missing Authorization
|
CVE-2026-44563
|
2026-05-19 12:11 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
863
|
6.5 |
MEDIUM
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/models/import endpoint allows users with the workspace.models_impor…
|
CWE-283
CWE-862
Unverified Ownership
Missing Authorization
|
CVE-2026-44562
|
2026-05-19 12:10 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
864
|
5.4 |
MEDIUM
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the is_user_channel_member function checks whether a ChannelMember row exists but do…
|
CWE-863
Incorrect Authorization
|
CVE-2026-44561
|
2026-05-19 12:10 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
865
|
6.5 |
MEDIUM
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the type: "file" (non-full-context), type: "text" with collection_name, and bare col…
|
CWE-862
Missing Authorization
|
CVE-2026-44560
|
2026-05-19 12:09 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
866
|
4.3 |
MEDIUM
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the GET /api/v1/channels/{id}/members endpoint only checks membership for group and …
|
CWE-862
Missing Authorization
|
CVE-2026-44559
|
2026-05-19 12:09 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
867
|
8.0 |
HIGH
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE …
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-45671
|
2026-05-19 12:08 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
868
|
7.1 |
HIGH
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can enumerate active background tasks acr…
|
CWE-862
Missing Authorization
|
CVE-2026-45399
|
2026-05-19 12:08 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
869
|
6.5 |
MEDIUM
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI allows admins to restrict which API endpoints an API key can access. When…
|
CWE-863
Incorrect Authorization
|
CVE-2026-45339
|
2026-05-19 12:07 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
870
|
8.5 |
HIGH
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, validate_url() in backend/open_webui/retrieval/web/utils.py calls validators.ipv6(ip…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-45331
|
2026-05-19 12:06 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
