These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-54022 is a vulnerability in Open WebUI, a self-hosted artificial intelligence platform. The issue allows an attacker to bypass authorization checks and access private note contents by manipulating document IDs. The vulnerability is fixed in version 0.8.11. Open WebUI is a platform designed to operate entirely offline. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM.
CVE-2026-54021 is a vulnerability in Open WebUI, a self-hosted artificial intelligence platform. The vulnerability allows authenticated users to access unauthorized Ollama backends by manipulating the url_idx path parameter. This issue was fixed in version 0.9.6. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 6.3, indicating a medium severity level. The vulnerability was pu [truncated]
CVE-2026-54018 is a Server-Side Request Forgery (SSRF) vulnerability in Open WebUI, a self-hosted artificial intelligence platform. The vulnerability arises from the platform's failure to validate URLs after HTTP redirects, allowing attackers to access internal services despite protective configurations. This issue was fixed in version 0.9.6. The vulnerability has a CVSS score of 7.7 and is considered hig [truncated]
CVE-2026-54014 is a path traversal vulnerability in Open WebUI's cache file serving endpoint. The vulnerability allows any authenticated user to read files from sibling directories outside the intended cache directory. This is achieved by exploiting an incomplete startswith containment check that lacks a trailing path separator. The root cause lies in the serve_cache_file() function in open_webui/main.py, [truncated]
Open WebUI, a self-hosted AI platform, had an SVG XSS vulnerability in model profile images prior to version 0.9.6. The ModelMeta class lacked a profile image URL validator, and the image serving endpoint had no MIME allowlist or nosniff header. Authenticated users with workspace.models permission could store malicious SVG images, leading to full account takeover when navigated to. The vulnerability was p [truncated]
CVE-2026-54011 is a high-severity vulnerability in Open WebUI, a self-hosted artificial intelligence platform. The vulnerability arises from the platform's rendering of Mermaid blocks from Markdown files in the file preview panel. Specifically, Open WebUI inserts the generated SVG into the DOM using innerHTML, and Mermaid is configured with securityLevel: 'loose'. This allows attacker-controlled Mermaid c [truncated]
CVE-2026-54007 is a high-severity vulnerability in Open WebUI, a self-hosted artificial intelligence platform. Prior to version 0.9.6, the chat message listener allows non-same-origin input:prompt and action:submit messages, enabling an external site to set prompt text and trigger submitPrompt() in an authenticated victim session. This allows for cross-site forced actions and model/tool execution under vi [truncated]
CVE-2026-54006 is a medium-severity vulnerability in Open WebUI, a self-hosted artificial intelligence platform. The vulnerability exists in the POST /api/v1/calendars/events/{event_id}/update endpoint, which fails to validate the destination calendar_id supplied in the request body. This allows a regular user-role account to create an event in their own calendar and immediately move it into any other use [truncated]
Open WebUI versions prior to 0.8.0 expose an unauthenticated API endpoint (`GET /api/v1/memories/ef`) that triggers embedding generation through `request.app.state.EMBEDDING_FUNCTION(...)`. This allows any unauthenticated remote attacker to invoke embedding operations, which can result in direct financial cost exposure when configured with paid embedding providers. The vulnerability represents a missing a [truncated]
Open WebUI versions prior to 0.8.11 contain an authorization bypass vulnerability in the `/api/v1/notes/{note_id}` API endpoint. Authenticated users can retrieve notes belonging to other users by guessing or enumerating UUIDs, resulting in unauthorized disclosure of potentially sensitive user data. The vulnerability stems from missing authorization checks on the note retrieval endpoint. This issue was pub [truncated]
A stored cross-site scripting (XSS) vulnerability in Open WebUI prior to version 0.8.0 allows a compromised administrator to inject malicious JavaScript into the global banner component. The root cause is an improper sanitization order where DOMPurify executes before the marked library processes content, enabling payload bypass. Because the banner renders for all users including the Super Admin, this vect [truncated]
## Summary Open WebUI versions prior to 0.8.11 expose an internal-only `bypass_filter` parameter on the `/openai/chat/completions` and `/ollama/api/chat` HTTP endpoints via FastAPI query string binding. Any authenticated user can append `?bypass_filter=true` to bypass model access control checks and invoke admin-restricted models. ## Technical Details The vulnerability stems from FastAPI's automatic query [truncated]
A medium-severity information disclosure vulnerability in Open WebUI allows non-administrative users to view system prompts configured by administrators. The issue stems from the `/api/models` endpoint returning model configuration data—including system prompts—to authenticated regular users without proper access controls. This exposure occurs when any standard user logs into the application and the front [truncated]
CVE-2026-45347 is a blind server-side request forgery issue in Open WebUI’s PDF generate/export flow. The flaw was publicly disclosed on 2026-05-15 and fixed in Open WebUI 0.5.11. The available evidence indicates the issue can trigger server-side outbound requests through an image tag in user input, but scripts and some other tags were blocked, limiting the impact to blind SSRF rather than content readout.
Open WebUI versions prior to 0.5.7 contain an insecure direct object reference vulnerability where authenticated users can modify another user's private models by manipulating access permission parameters during the edit operation. The flaw stems from missing authorization checks when processing model updates, allowing attackers to escalate privileges and gain unauthorized access to models explicitly mark [truncated]
Open WebUI versions prior to 0.9.3 contain a regression of a previously patched cross-site scripting (XSS) vulnerability. The issue stems from the same root cause as CVE-2026-44549: output from XLSX.utils.sheet_to_html() is rendered via Svelte's {@html} directive without DOMPurify sanitization. This regression was reintroduced sometime after v0.8.0, allowing an attacker with authenticated access to upload [truncated]
A Cross-Site Request Forgery (CSRF) vulnerability in Open WebUI's image uploading functionality allows authenticated attackers to perform actions on behalf of victim users. The flaw exists in versions prior to 0.9.3 and stems from insufficient validation of image URLs, enabling attackers to specify malicious endpoints that execute when images are viewed. The vulnerability is exploitable by any authenticat [truncated]
## Summary CVE-2026-45316 is a low-severity authorization bypass in Open WebUI, a self-hosted AI platform. The vulnerability allows users with read-only access to shared notes to perform state-modifying actions (pinning/unpinning) due to improper permission checks on the POST /api/v1/notes/{id}/pin endpoint. The endpoint verifies read permission instead of write permission before executing the toggle oper [truncated]
Open WebUI versions prior to 0.9.3 contain a stored cross-site scripting vulnerability in the channel webhook profile image functionality. The application accepts arbitrary profile_image_url values, including data:image/svg+xml;base64 payloads, and serves these without sanitization as image/svg+xml content. When a user opens a profile image URL containing malicious SVG with script handlers such as onload, [truncated]
Open WebUI versions prior to 0.6.5 contain a stored cross-site scripting (XSS) vulnerability in the HTML rendering view. The application's chat visualization feature embeds HTML content within an iFrame using the sandbox directive `allow-scripts allow-forms allow-same-origin`. This configuration permits embedded scripts to execute and access parent-origin data including local storage, effectively nullifyi [truncated]
Open WebUI versions prior to 0.3.16 contain a missing permission check vulnerability in all files-related API endpoints. Any authenticated user can list, access, and delete files uploaded by any other user on the platform. This represents a broken access control issue (CWE-284) with network-exploitable, low-complexity attack requirements. The vulnerability was disclosed via GitHub Security Advisory and ad [truncated]
Open WebUI versions prior to 0.8.0 contain a stored cross-site scripting (XSS) vulnerability in the user profile update functionality. The `profile_image_url` field accepted arbitrary `data:` URI values without MIME-type validation, allowing attackers with authenticated access to inject malicious JavaScript payloads that execute in victims' browsers. The vulnerability requires low attack complexity and us [truncated]
Open WebUI versions prior to 0.8.6 contain an authorization bypass vulnerability in the message update endpoint for standard channels. The POST /api/v1/channels/{channel_id}/messages/{message_id}/update endpoint incorrectly permits access with read-only permissions when access_control is set to None. The has_access(..., type=read) check evaluates to True, allowing non-message owners to modify other users' [truncated]
Open WebUI versions prior to 0.6.19 contain broken authorization controls in the memories API that allow standard users to access, modify, and delete other users' memory data. The vulnerability stems from inconsistent access control enforcement across multiple endpoints: POST /api/v1/memories/query allows viewing arbitrary memories without ownership verification; POST /api/v1/memories/{memory_id}/update l [truncated]
Open WebUI versions prior to 0.6.19 contain an insecure direct object reference (IDOR) vulnerability in the channels message management system. The flaw exists in the message update and delete API endpoints, which validate only channel-level access permissions without verifying message ownership. While the frontend correctly restricts edit and delete functionality to message owners and administrators, the [truncated]
Open WebUI versions prior to 0.1.124 contain an authorization bypass vulnerability where the API fails to validate that a user possesses an authorized role of 'user'. When new sign-ups are enabled, the default user role is set to 'pending', requiring administrator intervention to assign proper access. Due to insufficient server-side authorization checks, pending users can access API endpoints and function [truncated]
CVE-2026-44566 affects Open WebUI versions prior to 0.1.124. According to the GitHub security advisory and NVD entry, the application derives the attached file name from the original HTTP upload request without validating or sanitizing it. That allows dot-segments in the file path to traverse out of the intended uploads directory, potentially writing files anywhere on the filesystem that the web server pr [truncated]
CVE-2026-44565 affects Open WebUI versions prior to 0.6.10. When an audio file is uploaded, the service derives the saved name from the original HTTP upload request without validating or sanitizing it. That lets a user include dot-segments in the filename and escape the intended uploads directory, potentially writing files anywhere the web server account can access. The issue is rated HIGH severity (CVSS [truncated]
Open WebUI versions prior to 0.8.0 contain a stored cross-site scripting (XSS) vulnerability in Excel file preview functionality. The application uses the SheetJS library's sheet_to_html function to convert XLSX files to HTML for preview, then renders the output using Svelte's @html directive without sanitization. A crafted XLSX file can embed malicious JavaScript that executes when the preview is rendere [truncated]
Open WebUI versions prior to 0.8.12 contain a critical authorization bypass in the code execution feature. The /api/v1/utils/code/execute endpoint allows any authenticated user to execute arbitrary Python code via Jupyter, regardless of the ENABLE_CODE_EXECUTION=false configuration setting. The administrative feature gate is not enforced at the API layer, creating a dangerous gap between intended security [truncated]
Open WebUI versions prior to 0.9.5 contain an insecure direct object reference (IDOR) vulnerability in multiple API endpoints that allow authenticated users to attach arbitrary files—owned by other users—to resources they control. The affected endpoints include POST /api/v1/folders/{id}/update and knowledge-base file attachment functions in backend/open_webui/routers/folders.py and backend/open_webui/rout [truncated]
A parsing discrepancy between Python's urlparse and the requests library in Open WebUI prior to version 0.9.5 enables Server-Side Request Forgery (SSRF) bypass. The vulnerability arises when URL validation logic using urlparse produces different results than the actual HTTP request handling performed by requests, allowing attackers to craft URLs that pass validation but trigger unintended outbound request [truncated]
Open WebUI versions prior to 0.9.5 contain an authorization bypass vulnerability in the `_validate_collection_access()` function. The function validates access for collections with `user-memory-*` and `file-*` prefixes but fails to enforce access controls on knowledge base collections, which use raw UUIDs as collection names. This gap allows any authenticated user who knows a private knowledge base UUID t [truncated]
Open WebUI versions prior to 0.9.5 expose live RAG (Retrieval-Augmented Generation) pipeline configuration through the GET /api/v1/retrieval/ endpoint without requiring authentication. This endpoint returns sensitive configuration data to any unauthenticated HTTP client, while adjacent endpoints on the same router (/embedding, /config) are properly protected by the get_admin_user guard. The vulnerability [truncated]
CVE-2026-45396 affects Open WebUI versions prior to 0.9.5. The POST /api/v1/evaluations/feedback endpoint allows an authenticated requester to supply fields that should be server-controlled. Because FeedbackForm is configured with extra='allow' and insert_new_feedback() merges data in an insecure order, a client-supplied user_id can overwrite the intended server-derived value. The practical impact is forg [truncated]
CVE-2026-45395 describes an authorization flaw in Open WebUI’s tool update endpoint. Prior to version 0.9.5, a user who was supposed to be blocked from tool management could still update an existing tool and trigger execution of changed server-side Python content, bypassing the intended workspace.tools boundary.
Open WebUI versions prior to 0.9.5 contain an information disclosure vulnerability where users granted read access to a model through group permissions can also view the model's system prompt. System prompts may contain confidential instructions, configuration details, or other sensitive content that model owners intend to keep private. The CVSS 3.1 score of 4.3 (Medium) reflects the network-accessible na [truncated]
Open WebUI versions prior to 0.9.5 contain an authorization bypass vulnerability in the message pinning functionality. The Pin/Unpin operation modifies message state (is_pinned, pinned_by, pinned_at fields) but incorrectly validates only read permissions in standard channels. This allows users with read-only access to pin or unpin any message, violating the expected write-access control boundary. The vuln [truncated]
An Insecure Direct Object Reference (IDOR) vulnerability in Open WebUI's Channels feature allows any authenticated channel member to modify messages sent by other members, including administrators. The flaw exists in the `update_message_by_id` function, which only verifies channel membership via `is_user_channel_member` without checking message ownership. This affects group and direct message channels in [truncated]
A stored cross-site scripting (XSS) vulnerability in Open WebUI allows authenticated users with model creation permissions to execute arbitrary JavaScript in other users' browsers. The vulnerability exists in versions prior to 0.9.0 and was fixed in that release. The CVSS 3.1 score of 7.3 (HIGH) reflects network attack vector, low attack complexity, required privileges, and user interaction needed, with h [truncated]
Open WebUI versions prior to 0.9.0 contain a Time-of-Check-Time-of-Use (TOCTOU) race condition in LDAP and OAuth authentication flows that could allow unauthorized elevation to administrator privileges. The vulnerability exists because while the regular signup handler was patched to prevent this race condition with a default-role-first insertion pattern, the LDAP and OAuth code paths were never updated wi [truncated]
Open WebUI versions prior to 0.9.0 contain an authorization bypass vulnerability that allows any authenticated user to permanently delete files owned by other users. The vulnerability exists in the `has_access_to_file()` function, which unconditionally grants access through its shared-chat branch without verifying the requesting user's identity or the operation type. Attackers can obtain file UUIDs throug [truncated]
Open WebUI versions prior to 0.9.0 contain an authorization flaw (CWE-862) where authenticated users with low privileges can enumerate and terminate background tasks belonging to other users. The vulnerable endpoints—GET /api/tasks and POST /api/tasks/stop/{task_id}—lack proper access controls, enabling any authenticated user to disrupt system-wide chat operations by canceling active tasks across the depl [truncated]
Open WebUI versions prior to 0.9.0 contain an authorization bypass vulnerability in the chat completions API. An authenticated user can access and continue another user's conversation by supplying their own valid API key alongside the target user's Chat ID to the /api/chat/completions endpoint. The vulnerability stems from improper authorization checks that fail to verify the requesting user's ownership o [truncated]
Open WebUI versions prior to 0.9.0 contain an authorization bypass vulnerability in API key endpoint restrictions. When administrators configure API keys with restricted endpoint access, the restriction is properly enforced for requests using the `Authorization: Bearer sk-...` header format, returning HTTP 403 Forbidden. However, identical API keys submitted via the `x-api-key` header bypass these restric [truncated]
A stored cross-site scripting (XSS) vulnerability exists in Open WebUI prior to version 0.9.0. The AccountPending.svelte component renders administrator-configured
Open WebUI versions prior to 0.9.0 contain an authorization bypass vulnerability in the Socket.IO real-time collaboration subsystem. The ydoc:document:update event handler validates that a user is a member of a document's Socket.IO room but fails to verify write permissions. Users with read-only access can join document rooms via ydoc:document:join (which only requires read permission) and subsequently em [truncated]
Open WebUI versions prior to 0.9.0 contain a broken access control vulnerability (CWE-862) affecting four API endpoints: /api/generate, /api/embed, /api/embeddings, and /api/show. These endpoints accept arbitrary model names from authenticated users and forward requests to the Ollama backend without verifying whether the requesting user has explicit authorization to access the specified model. The endpoin [truncated]
Open WebUI versions prior to 0.9.0 contain an insecure direct object reference vulnerability in the model import functionality. The POST /api/v1/models/import endpoint allows authenticated users with workspace.models_import permission to overwrite any existing model in the database by specifying a matching model ID in their import payload. The endpoint merges attacker-controlled data over existing model r [truncated]
Open WebUI versions prior to 0.9.0 contain an authorization bypass vulnerability in channel membership validation. The `is_user_channel_member` function checks for the existence of a `ChannelMember` record but fails to verify the `is_active` field. When users are deactivated from a group or direct message channel—whether removed by the channel owner or through voluntary departure—their membership row pers [truncated]