Openwebui

Open Webui

43 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.4

CVE-2026-26193

Exploit
  • EPSS 0.03%
  • Veröffentlicht 19.02.2026 19:15:03
  • Zuletzt bearbeitet 20.02.2026 20:15:37

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.44, aanually modifying chat history allows setting the `embeds` property on a response message, the content of which is loaded int...

5.4

CVE-2026-26192

Exploit
  • EPSS 0.03%
  • Veröffentlicht 19.02.2026 19:10:52
  • Zuletzt bearbeitet 20.02.2026 20:17:25

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, aanually modifying chat history allows setting the `html` property within document metadata. This causes the frontend to enter ...

6.5

CVE-2026-0767

  • EPSS 0.02%
  • Veröffentlicht 23.01.2026 03:28:39
  • Zuletzt bearbeitet 30.01.2026 19:36:59

Open WebUI Cleartext Transmission of Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Open WebUI. Authentication is not required to e...

8.8

CVE-2026-0766

  • EPSS 0.64%
  • Veröffentlicht 23.01.2026 03:28:35
  • Zuletzt bearbeitet 30.01.2026 19:47:56

Open WebUI load_tool_module_by_id Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerab...

8.8

CVE-2026-0765

  • EPSS 0.64%
  • Veröffentlicht 23.01.2026 03:28:32
  • Zuletzt bearbeitet 30.01.2026 19:48:35

Open WebUI PIP install_frontmatter_requirements Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit...

7.5

CVE-2025-63391

  • EPSS 0.14%
  • Veröffentlicht 18.12.2025 00:00:00
  • Zuletzt bearbeitet 22.01.2026 18:16:44

An authentication bypass vulnerability exists in Open-WebUI <=0.6.32 in the /api/config endpoint. The endpoint lacks proper authentication and authorization controls, exposing sensitive system configuration data to unauthenticated remote attackers.

5.4

CVE-2025-65959

Exploit
  • EPSS 0.04%
  • Veröffentlicht 04.12.2025 20:46:36
  • Zuletzt bearbeitet 10.12.2025 15:35:25

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Stored XSS vulnerability was discovered in Open-WebUI's Notes PDF download functionality. An attacker can import a Markdown file con...

7.1

CVE-2025-65958

Exploit
  • EPSS 0.04%
  • Veröffentlicht 04.12.2025 19:55:13
  • Zuletzt bearbeitet 10.12.2025 15:18:38

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP reques...

4.3

CVE-2025-63681

Exploit
  • EPSS 0.01%
  • Veröffentlicht 04.12.2025 00:00:00
  • Zuletzt bearbeitet 05.12.2025 20:15:57

open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks.

8

CVE-2025-64496

Exploit
  • EPSS 0.15%
  • Veröffentlicht 08.11.2025 01:29:02
  • Zuletzt bearbeitet 26.11.2025 15:36:09

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to exe...