|
2551
|
8.0 |
HIGH
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE …
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-45671
|
2026-05-19 12:08 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2552
|
7.1 |
HIGH
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can enumerate active background tasks acr…
|
CWE-862
Missing Authorization
|
CVE-2026-45399
|
2026-05-19 12:08 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2553
|
6.5 |
MEDIUM
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI allows admins to restrict which API endpoints an API key can access. When…
|
CWE-863
Incorrect Authorization
|
CVE-2026-45339
|
2026-05-19 12:07 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2554
|
8.5 |
HIGH
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, validate_url() in backend/open_webui/retrieval/web/utils.py calls validators.ipv6(ip…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-45331
|
2026-05-19 12:06 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2555
|
4.8 |
MEDIUM
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured "Pending User Overl…
|
CWE-79
Cross-site Scripting
|
CVE-2026-44568
|
2026-05-19 12:06 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2556
|
4.3 |
MEDIUM
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, when setting model permissions so that a group has read access to it, intending for …
|
CWE-200
Information Exposure
|
CVE-2026-45387
|
2026-05-19 12:05 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2557
|
7.2 |
HIGH
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the tool update endpoint (POST /api/v1/tools/id/{id}/update) is missing the workspac…
|
CWE-269
CWE-862
Improper Privilege Management
Missing Authorization
|
CVE-2026-45395
|
2026-05-19 12:05 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2558
|
4.3 |
MEDIUM
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, an IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any cha…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-45385
|
2026-05-19 10:45 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2559
|
6.3 |
MEDIUM
Network
|
open5gs
|
open5gs
|
A vulnerability was found in Open5GS up to 2.7.6. This impacts the function ran_ue_find_by_amf_ue_ngap_id of the file src/amf/context.c of the component AMF/MME. Performing a manipulation results in …
|
CWE-266
CWE-285
Incorrect Privilege Assignment
Improper Authorization
|
CVE-2026-8743
|
2026-05-19 10:35 |
2026-05-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2560
|
5.5 |
MEDIUM
Local
|
steipete
|
summarize
|
Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default…
|
CWE-732
Incorrect Permission Assignment for Critical Resource
|
CVE-2026-45246
|
2026-05-19 10:34 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
