Export limit exceeded: 351576 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (351576 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-44562 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-05-19 | 6.5 Medium |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/models/import endpoint allows users with the workspace.models_import permission to overwrite any existing model in the database, regardless of ownership. When an imported model's ID matches an existing model, the endpoint merges the attacker's payload over the existing model data and writes it to the database with no ownership or access grant validation. Additionally, filter_allowed_access_grants is never called, bypassing the access grant restrictions enforced on all other model mutation endpoints. This vulnerability is fixed in 0.9.0. | ||||
| CVE-2026-44561 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-05-19 | 5.4 Medium |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the is_user_channel_member function checks whether a ChannelMember row exists but does not check the is_active field. When a user is deactivated from a group or DM channel (removed by the channel owner, or leaves voluntarily), their membership row persists with is_active=False and status='left'. Because the authorization check ignores this field, the deactivated user retains full read and write access to the channel via direct API calls. This vulnerability is fixed in 0.9.0. | ||||
| CVE-2026-44560 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-05-19 | 6.5 Medium |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the type: "file" (non-full-context), type: "text" with collection_name, and bare collection_name/collection_names paths in the get_sources_from_items function perform vector store queries without any authorization check, allowing users to extract content from files and knowledge bases they do not have access to. This vulnerability is fixed in 0.9.0. | ||||
| CVE-2026-44559 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-05-19 | 4.3 Medium |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the GET /api/v1/channels/{id}/members endpoint only checks membership for group and dm channel types (lines 467-469). For standard channels — including private ones — there is no channel_has_access check before returning the member list. Any authenticated user who knows a private channel's UUID can enumerate all users with access to that channel. This vulnerability is fixed in 0.9.0. | ||||
| CVE-2026-45671 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-05-19 | 8 High |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/{id} when the target file is referenced in any shared chat. The has_access_to_file() authorization gate unconditionally grants access through its shared-chat branch. It checks neither the requesting user's identity nor the type of operation being performed. File UUIDs (which would otherwise be impractical to guess) are disclosed to any user with read access to a knowledge base via GET /api/v1/knowledge/{id}/files. This vulnerability is fixed in 0.9.0. | ||||
| CVE-2026-45399 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-05-19 | 7.1 High |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can enumerate active background tasks across the system and stop tasks belonging to other users via the GET /api/tasks and POST /api/tasks/stop/{task_id} methods. This allows a casual user to disrupt system-wide chat usage by continuously canceling other users' active tasks. This is a real authorization vulnerability affecting integrity and usability in multi-user deployments. This vulnerability is fixed in 0.9.0. | ||||
| CVE-2026-45339 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-05-19 | 6.5 Medium |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI allows admins to restrict which API endpoints an API key can access. When an API key is restricted from /api/v1/messages, requests using the Authorization: Bearer sk-... header are correctly blocked with 403. However, the same key sent via the x-api-key header bypasses the restriction entirely — the request is authenticated, the model is invoked, and a full response is returned. This vulnerability is fixed in 0.9.0. | ||||
| CVE-2026-45331 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-05-19 | 8.5 High |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, validate_url() in backend/open_webui/retrieval/web/utils.py calls validators.ipv6(ip, private=True), but the validators library does NOT implement the private keyword for IPv6 — the call raises a ValidationError (which is falsy in a boolean context), so every IPv6 address passes the filter. In addition, IPv4-mapped IPv6 (::ffff:10.0.0.1) bypasses the IPv4 check entirely, and several reserved IPv4 ranges (0.0.0.0/8, 100.64.0.0/10, 192.0.0.0/24, etc.) are not blocked. This vulnerability is fixed in 0.9.0. | ||||
| CVE-2026-44568 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-05-19 | 4.8 Medium |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse() inside {@html} with an incorrect DOMPurify application order. An admin can inject arbitrary JavaScript into the Pending User Overlay Content that executes in the browser context of any pending user who views the overlay page. This vulnerability is fixed in 0.9.0. | ||||
| CVE-2026-45387 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-05-19 | 4.3 Medium |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, when setting model permissions so that a group has read access to it, intending for other users to use it, those users also can read the model's system prompt. However users may consider their system prompt confidential, so this is considered a security issue. This vulnerability is fixed in 0.9.5. | ||||
| CVE-2026-45395 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-05-19 | 7.2 High |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the tool update endpoint (POST /api/v1/tools/id/{id}/update) is missing the workspace.tools permission check that is present on the tool create endpoint. This allows a user who has been explicitly denied tool management capabilities ( and who the administrator considers untrusted for code execution ) to replace a tool's server-side Python content and trigger execution, bypassing the intended workspace.tools security boundary. This vulnerability is fixed in 0.9.5. | ||||
| CVE-2026-33233 | 1 Significant-gravitas | 1 Autogpt | 2026-05-19 | 7.6 High |
| AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.6.34 through 0.6.51, the backend deserializes Redis cache bytes using pickle.loads without integrity/authenticity checks. The write path serializes values with pickle.dumps(...) into Redis and the read path blindly invokes pickle.loads(...) on bytes with no HMAC/signature or strict schema validation gating deserialization. If an attacker can poison a shared-cache key in Redis, arbitrary command execution is possible in the backend container context, affecting confidentiality, integrity, and availability. This issue has been fixed in version 0.6.52. | ||||
| CVE-2026-45385 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-05-19 | 4.3 Medium |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, an IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members (including administrators) within the same channel. In the update_message_by_id function, for group or dm type channels, only the caller's membership in the channel is checked via the is_user_channel_member function, without verifying message ownership. This allows any channel member to modify messages sent by other members within the same channel. This vulnerability is fixed in 0.9.5. | ||||
| CVE-2026-45246 | 1 Steipete | 1 Summarize | 2026-05-19 | 5.5 Medium |
| Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default filesystem permissions. When the refresh-free path rewrites the configuration file, it creates the replacement with default process umask permissions instead of preserving the original file permissions, exposing the config file containing API keys and provider credentials to other local users on shared Unix-like systems. | ||||
| CVE-2026-45242 | 1 Steipete | 1 Summarize | 2026-05-19 | 7.1 High |
| Summarize prior to 0.15.1 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authenticated callers to write files to arbitrary directories by supplying an absolute path or directory traversal sequence in the slidesDir request parameter. Attackers can exploit this to write slide_*.png and slides.json files to any writable directory and subsequently delete matching files at the specified location through repeat extraction. | ||||
| CVE-2026-45245 | 1 Steipete | 1 Summarize | 2026-05-19 | 7.4 High |
| Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing the extension to make authenticated daemon requests using stored tokens without verifying event trustworthiness. Attackers can place local or private-network URLs behind hoverable links to route authenticated requests through the daemon, potentially accessing sensitive internal endpoints when users interact with attacker-controlled content. | ||||
| CVE-2026-8553 | 1 Google | 1 Chrome | 2026-05-19 | 3.1 Low |
| Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-8557 | 1 Google | 1 Chrome | 2026-05-19 | 7.5 High |
| Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-8558 | 1 Google | 1 Chrome | 2026-05-19 | 8.8 High |
| Out of bounds write in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-8537 | 1 Google | 1 Chrome | 2026-05-19 | 4.3 Medium |
| Insufficient policy enforcement in ViewTransitions in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | ||||