open-webui vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-45400Highopen-webui: Open WebUI has a Server-Side Request Forgery (SSRF) bypass in `validate_url`CVE-2026-45399Highopen-webui: Open WebUI: Low-privilege authenticated users can enumerate and stop global background tasks,…CVE-2026-45398Highopen-webui: Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access ControlsCVE-2026-45397Mediumopen-webui: Open WebUI Vulnerable to Unauthenticated RAG Configuration DisclosureCVE-2026-45396Mediumopen-webui: Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and…CVE-2026-45395Highopen-webui: Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege…CVE-2026-45387Mediumopen-webui: Open WebUI: Sharing models for others to use (read permission) also exposes model details (system…CVE-2026-45386Mediumopen-webui: Open WebUI has an IDOR vulnerability in the pin_channel_message API endpointCVE-2026-45385Mediumopen-webui: Open WebUI has an IDOR vulnerability in the update_message_by_id API endpointCVE-2026-45365Mediumopen-webui: Open WebUI: Authenticated users can bypass model access control via exposed query parameter…CVE-2026-45351Mediumopen-webui: Open WebUI Exposes System Prompt to Regular User [Non-Admin]CVE-2026-45350Highopen-webui: Open WebUI's chat completion API allows tool restrictions to be bypassedCVE-2026-45349Highopen-webui: Open WebUI has Broken Access Control for Completions APICVE-2026-45347Mediumopen-webui: Open WebUI vulnerable to blind server side request forgery (SSRF) via the PDF generate functionCVE-2026-45346Mediumopen-webui: Open WebUI Has Stored Cross-Site Scripting in SVG RendererCVE-2026-45345Mediumopen-webui: Open WebUI missing authorization check at the model update function - models from other users can…CVE-2026-45338Highopen-webui: Open WebUI Vulnerable to SSRF via OAuth Profile Picture URL in _process_picture_url (oauth.py)CVE-2026-45331Highopen-webui: Open WebUI has a full SSRF Vulnerability in the RAG Web Search FeatureCVE-2026-45317Mediumopen-webui: Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF) via Image URL ManipulationCVE-2026-45318Mediumopen-webui: Open WebUI has stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without…CVE-2026-45316Lowopen-webui: Open WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via…CVE-2026-45314Highopen-webui: Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/imageCVE-2026-45315Highopen-webui: Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptionsCVE-2026-45303Highopen-webui: Open WebUI has stored XSS via the HTML renedering viewCVE-2026-45301Highopen-webui: Open WebUI: Missing permission check in files API allows authenticated users to list, access and…

Stop the waste.
Protect your environment with Kodem.