Open WebUI

Open WebUI is vulnerable to privilege escalation and code execution because a missing authorization check on the tool update endpoint allows a user with write access to a tool to replace the tool's server-side Python content and trigger execution, bypassing the intended `workspace.tools` security boundary.

Open WebUI is vulnerable to broken object-level authorization, allowing low-privilege authenticated users to enumerate and stop global background tasks across the system, leading to a denial-of-service condition and is tracked as CVE-2026-45399 and CVE-2025-63681.

Open WebUI version 0.8.3 and earlier is vulnerable to an authorization bypass, allowing any authenticated user to permanently delete files owned by other users via `DELETE /api/v1/files/{id}` if the target file is referenced in any shared chat due to a flaw in the `has_access_to_file()` function.

Open WebUI versions 0.8.11 and earlier are vulnerable to arbitrary code execution due to a bypassed feature gate; the `/api/v1/utils/code/execute` endpoint allows authenticated users to execute Python code via Jupyter even when code execution is disabled, leading to potential data exfiltration and code execution (CVE-2026-45672).

Open WebUI versions 0.8.12 and earlier are vulnerable to CVE-2026-45349, a broken access control issue where any user can continue the conversation of another user if they know the Chat ID, by using the /api/chat/completions endpoint with their own API key, allowing unauthorized access to private conversations and information.

Open WebUI versions prior to 0.8.6 contain a vulnerability in the chat completion API that allows attackers to bypass tool restrictions by invoking any server tool with elevated privileges by supplying the correct tool_id or tool_servers parameters; this issue is tracked as CVE-2026-45350.

Open WebUI versions before 0.6.19 have inconsistent authorization controls within the memories API, allowing standard users to view, delete, and restore other users' memories, potentially leading to sensitive data disclosure and unauthorized access as tracked by CVE-2026-44570.

Open WebUI is vulnerable to path traversal (CVE-2026-44565), allowing attackers to upload files to arbitrary locations on the web server's filesystem and subsequently delete them due to insufficient filename sanitization in the `/ollama/models/upload` API endpoint.

The /responses endpoint in Open WebUI's OpenAI router lacks access control, allowing authenticated users to bypass per-model access controls and interact with any configured model, potentially leading to denial of service, model theft, and access policy bypass.

Open WebUI version 0.1.105 is vulnerable to arbitrary file upload and path traversal, allowing attackers to upload files to arbitrary locations on the web server's filesystem by exploiting a lack of filename validation.

Open WebUI version 0.1.105 is vulnerable to an improper authorization control issue, where user accounts with a `pending` status can bypass authorization checks and make authenticated API calls as a `user` context due to the application failing to properly validate the user's role beyond JWT validation.

Open WebUI is vulnerable to privilege escalation; when a user connects via Socket.IO, their role is stored in an in-memory session pool, and administrative changes do not invalidate this session, allowing unauthorized access and modification of other users' notes after role revocation.

Open WebUI is vulnerable to an access control bypass due to improper model chaining, allowing a regular user to create a model that chains to a restricted base model and query it using the admin's API key, bypassing access restrictions.