pkg:PyPI/open-webui

All known vulnerabilities

• CRITICAL9.1CVE-2026-44551Open WebUI has an LDAP Empty Password Authentication Bypass
  from 0, < 0.9.0
• HIGH8.8CVE-2026-45672Open WebUI: Jupyter code execution works despite `ENABLE_CODE_EXECUTION=false` — feature gate bypassed
  from 0, < 0.8.12
• HIGH8.7Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions
  from 0, < 0.9.3
• HIGH8.7Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning
  from 0, < 0.9.0
• HIGH8.7Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE
  from 0, < 0.6.35
• HIGH8.5Open WebUI has a SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints (not addressed by CVE-2025-65958)
  from 0, < 0.9.5
• HIGH8.5Open WebUI has a Server-Side Request Forgery (SSRF) bypass in `validate_url`
  from 0, < 0.9.5
• HIGH8.5Open WebUI has a full SSRF Vulnerability in the RAG Web Search Feature
  from 0, < 0.9.0
• HIGH8.5Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web
  from 0, < 0.6.37
• HIGH8.4Open WebUI stored cross-site scripting (XSS) vulnerability
  from 0, <= 0.3.8
• HIGH8.3Open WebUI has inconsistent authorization controls within memories API
  from 0, < 0.6.19
• HIGH8.3Open WebUI Allows Admin Deletion via API Endpoint
  from 0, <= 0.3.8
• HIGH8.1Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts
  from 0, < 0.9.0
• HIGH8.1Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints
  from 0, < 0.9.5
• HIGH8.1Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file
  from 0, < 0.3.16
• HIGH8.1Open WebUI Arbitrary File Write, Delete via Path Traversal
  from 0, < 0.6.10
• HIGH8.1Open WebUI has Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite
  from 0, < 0.9.0
• HIGH8.1Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access
  from 0, < 0.9.0
• HIGH8.1Open WebUI allows Remote Code Execution via Arbitrary File Upload to /audio/api/v1/transcriptions
  from 0, < 0.5.17
• HIGH8.1Open WebUI Allows Arbitrary File Reading and Deletion
  from 0, <= 0.3.8
• HIGH8.0Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion
  from 0, < 0.9.0
• HIGH8.0Open WebUI Cross-Site Request Forgery (CSRF) Vulnerability
  from 0, < 0.3.33
• HIGH7.7Open WebUI Vulnerable to SSRF via OAuth Profile Picture URL in _process_picture_url (oauth.py)
  from 0, < 0.9.0
• HIGH7.7Open WebUI has stored XSS via the HTML renedering view
  from 0, < 0.6.5
• HIGH7.7Open WebUI has Broken Access Control in Tool Valves
  from 0, < 0.8.11
• HIGH7.7Open WebUI has SSRF in /openai/models
  from 0, <= 0.3.8
• HIGH7.6Open WebUI's Base Model Routing Bypasses Access Control via Model Chaining
  from 0, < 0.9.0
• HIGH7.6Open WebUI Vulnerable to a Session Fixation Attack
  from 0, <= 0.3.8
• HIGH7.5Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls
  from 0, < 0.9.5
• HIGH7.5Open WebUI lacks authentication for the `api/v1/utils/pdf` endpoint
  from 0, <= 0.3.10
• HIGH7.5Open WebUI denial of service through endpoint for converting markdown
  from 0, <= 0.3.8
• HIGH7.5Open WebUI Uncontrolled Resource Consumption vulnerability
  from 0, <= 0.3.8
• HIGH7.5Open WebUI Uncontrolled Resource Consumption vulnerability
  from 0, <= 0.3.32
• HIGH7.5Open WebUI Uncontrolled Resource Consumption vulnerability
  from 0, <= 0.3.32
• HIGH7.3Open WebUI Vulnerable to Arbitrary File Upload and Path Traversal
  from 0, < 0.1.124
• HIGH7.3Open WebUI has Improper Authorization Control
  from 0, < 0.1.124
• HIGH7.3Open WebUI has stored XSS in Excel file preview
  from 0, < 0.8.0
• HIGH7.3open-webui Vulnerable to Stored XSS via Model Description
  from 0, < 0.9.0
• HIGH7.3Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
  from 0, < 0.6.35
• HIGH7.1Open WebUI: Low-privilege authenticated users can enumerate and stop global background tasks, causing system-wide chat disruption
  from 0, < 0.9.0
• HIGH7.1Open WebUI's chat completion API allows tool restrictions to be bypassed
  from 0, < 0.8.6
• HIGH7.1Open WebUI has Broken Access Control for Completions API
  from 0, < 0.9.0
• HIGH7.1Open WebUI's Insecure Message Access Breaks Authorization
  from 0, < 0.6.19
• HIGH7.1Open WebUI's responses passthrough endpoint lacks access control authorization
  from 0, < 0.9.0
• HIGH7.1Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite
  from 0, < 0.8.6
• MEDIUM6.9Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF)
  from 0, <= 0.3.8
• MEDIUM6.8Open WebUI Vulnerable to Cross-Site Scripting (XSS) via Chat File Upload
  from 0, <= 0.3.8
• MEDIUM6.5Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS)
  from 0, < 0.8.0
• MEDIUM6.5Open WebUI has an Indirect Object Reference (IDOR) in user notes
  from 0, < 0.8.11
• MEDIUM6.5Open WebUI Exposes System Prompt to Regular User [Non-Admin]
  from 0, < 0.8.9
• MEDIUM6.5Open WebUI missing authorization check at the model update function - models from other users can be updated
  from 0, < 0.5.7
• MEDIUM6.5Open WebUI's Improper Authorization in Standard Channels Allows Message Updates with Read Permission
  from 0, < 0.8.6
• MEDIUM6.5Open WebUI has Unauthorized File and Knowledge Base Content Access via RAG Vector Search
  from 0, < 0.9.0
• MEDIUM6.5Open WebUI's Model Import Overwrites Any Model Without Ownership Check
  from 0, < 0.9.0
• MEDIUM6.5Open WebUI Allows Arbitrary File Write via the `/models/upload` Endpoint
  from 0, <= 0.3.8
• MEDIUM6.5Open WebUI Allows Arbitrary File Write via the `download_model` Endpoint
  from 0, <= 0.3.8
• MEDIUM6.5open-webui allows writing and deleting arbitrary files
  from 0, <= 0.3.8
• MEDIUM6.5open-webui Insecure Direct Object Reference (IDOR) vulnerability
  from 0, <= 0.3.8
• MEDIUM6.1Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image
  from 0, < 0.9.3
• MEDIUM6.1Open WebUI Stored Cross-Site Scripting Vulnerability
  from 0, <= 0.1.105
• MEDIUM5.4Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation
  from 0, < 0.9.5
• MEDIUM5.4Open WebUI: Authenticated users can bypass model access control via exposed query parameter [AI-ASSISTED]
  from 0, < 0.8.11
• MEDIUM5.4Open WebUI has stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without DOMPurify)
  from 0, < 0.9.3
• MEDIUM5.4Open WebUI has Stored Cross-Site Scripting In Profile Picture
  from 0, < 0.8.0
• MEDIUM5.4Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels
  from 0, < 0.9.0
• MEDIUM5.4Read-Only Open WebUI Users Can Modify Collaborative Documents via Socket.IO
  from 0, < 0.9.0
• MEDIUM5.4Open WebUI's Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show
  from 0, < 0.9.0
• MEDIUM5.4Open WebUI's Channel Access Grants Bypass filter_allowed_access_grants
  from 0, < 0.9.0
• MEDIUM5.4Open WebUI has unauthorized deletion of knowledge files
  from 0, < 0.8.6
• MEDIUM5.3Open WebUI Vulnerable to Unauthenticated RAG Configuration Disclosure
  from 0, < 0.9.5
• MEDIUM5.0Open WebUI's Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts
  from 0, < 0.9.0
• MEDIUM4.8Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order
  from 0, < 0.9.0
• MEDIUM4.6Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF) via Image URL Manipulation
  from 0, < 0.9.3
• MEDIUM4.3Open WebUI: Sharing models for others to use (read permission) also exposes model details (system prompt leakage)
  from 0, < 0.9.5
• MEDIUM4.3Open WebUI has an IDOR vulnerability in the pin_channel_message API endpoint
  from 0, < 0.9.5
• MEDIUM4.3Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint
  from 0, < 0.9.5
• MEDIUM4.3Open WebUI vulnerable to blind server side request forgery (SSRF) via the PDF generate function
  from 0, < 0.5.11
• MEDIUM4.3Open WebUI Missing Access Check on Channel Members Endpoint for Standard Channels
  from 0, < 0.9.0
• MEDIUM4.3Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection
  from 0, < 0.9.0
• MEDIUM4.3Open WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions`
  from 0, < 0.8.6
• MEDIUM4.3Open WebUI Allows Viewing of Admin Details
  from 0, <= 0.3.8
• MEDIUM4.3Open WebUI Has Improper Access Control Leading to Arbitrary Prompt Read
  from 0, <= 0.3.8
• LOW3.5Open WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via Read-Only Access)
  from 0, < 0.9.3
• LOW3.1Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories
  from 0, < 0.8.6
• LOW2.7open-webui allows enumeration of file names and traversal of directories by observing the error messages
  from 0, <= 0.3.8
• —open-webui is Vulnerable to Incorrect Access Control
  from 0, <= 0.6.33