Open-Webui (<= 0.8.12)

The /responses endpoint in Open WebUI's OpenAI router lacks access control, allowing authenticated users to bypass per-model access controls and interact with any configured model, potentially leading to denial of service, model theft, and access policy bypass.

Open WebUI is vulnerable to an LDAP authentication bypass where the LDAP authentication endpoint does not validate that the submitted password is non-empty before performing a Simple Bind against the LDAP server, potentially granting attackers complete account access.

Open WebUI versions up to 0.8.12 are vulnerable to cross-instance cache poisoning when multiple instances share a Redis backend, allowing an attacker with admin access on one instance to overwrite cache values used by other instances, leading to data exfiltration and prompt injection attacks.

Open WebUI is vulnerable to privilege escalation; when a user connects via Socket.IO, their role is stored in an in-memory session pool, and administrative changes do not invalidate this session, allowing unauthorized access and modification of other users' notes after role revocation.

Open WebUI is vulnerable to knowledge base destruction and RAG poisoning due to a lack of authorization checks on the `/api/v1/retrieval/process/web` endpoint, allowing an attacker to overwrite a victim's knowledge base with attacker-controlled content.

Open WebUI is vulnerable to an access control bypass due to improper model chaining, allowing a regular user to create a model that chains to a restricted base model and query it using the admin's API key, bypassing access restrictions.