open-webui vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-45299Mediumopen-webui: Open WebUI has Stored Cross-Site Scripting In Profile PictureCVE-2026-44570Highopen-webui: Open WebUI has inconsistent authorization controls within memories APICVE-2026-44571Mediumopen-webui: Open WebUI's Improper Authorization in Standard Channels Allows Message Updates with Read PermissionCVE-2026-44569Highopen-webui: Open WebUI's Insecure Message Access Breaks AuthorizationCVE-2026-44565Highopen-webui: Open WebUI Arbitrary File Write, Delete via Path TraversalGHSA-6XCP-7MPR-M7WMHighopen-webui: Open WebUI has a CORS misconfiguration and session validation issueCVE-2026-44566Highopen-webui: Open WebUI Vulnerable to Arbitrary File Upload and Path TraversalCVE-2026-44567Highopen-webui: Open WebUI has Improper Authorization ControlCVE-2026-44549Highopen-webui: Open WebUI has stored XSS in Excel file previewCVE-2026-44568Mediumopen-webui: Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application OrderCVE-2026-44560Mediumopen-webui: Open WebUI has Unauthorized File and Knowledge Base Content Access via RAG Vector SearchCVE-2026-44561Mediumopen-webui: Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM ChannelsCVE-2026-44564Mediumopen-webui: Read-Only Open WebUI Users Can Modify Collaborative Documents via Socket.IOCVE-2026-44563Mediumopen-webui: Open WebUI's Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and…CVE-2026-44562Mediumopen-webui: Open WebUI's Model Import Overwrites Any Model Without Ownership CheckCVE-2026-44559Mediumopen-webui: Open WebUI Missing Access Check on Channel Members Endpoint for Standard ChannelsCVE-2026-44557Mediumopen-webui: Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-CollectionCVE-2026-44554Highopen-webui: Open WebUI has Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection OverwriteCVE-2026-44558Mediumopen-webui: Open WebUI's Channel Access Grants Bypass filter_allowed_access_grantsCVE-2026-44556Highopen-webui: Open WebUI's responses passthrough endpoint lacks access control authorizationCVE-2026-44555Highopen-webui: Open WebUI's Base Model Routing Bypasses Access Control via Model ChainingCVE-2026-44552Highopen-webui: Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable…CVE-2026-44553Highopen-webui: Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note AccessCVE-2026-44550Mediumopen-webui: Open WebUI's Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users'…CVE-2026-44551Criticalopen-webui: Open WebUI has an LDAP Empty Password Authentication Bypass

Stop the waste.
Protect your environment with Kodem.