Open-Webui

The /responses endpoint in Open WebUI's OpenAI router lacks access control, allowing authenticated users to bypass per-model access controls and interact with any configured model, potentially leading to denial of service, model theft, and access policy bypass.

Open WebUI version 0.1.105 is vulnerable to arbitrary file upload and path traversal, allowing attackers to upload files to arbitrary locations on the web server's filesystem by exploiting a lack of filename validation.

Open WebUI version 0.1.105 is vulnerable to an improper authorization control issue, where user accounts with a `pending` status can bypass authorization checks and make authenticated API calls as a `user` context due to the application failing to properly validate the user's role beyond JWT validation.

Open WebUI is vulnerable to privilege escalation; when a user connects via Socket.IO, their role is stored in an in-memory session pool, and administrative changes do not invalidate this session, allowing unauthorized access and modification of other users' notes after role revocation.

Open WebUI is vulnerable to an access control bypass due to improper model chaining, allowing a regular user to create a model that chains to a restricted base model and query it using the admin's API key, bypassing access restrictions.