SB2026011239 - Multiple vulnerabilities in Open WebUI

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Command Injection (CVE-ID: CVE-2026-0765)

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to insufficient input validation within the install_frontmatter_requirements function. A remote user can pass specially crafted data to the application and execute arbitrary commands.

2) Cleartext transmission of sensitive information (CVE-ID: CVE-2026-0767)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to software uses insecure communication channel to transmit sensitive information. A remote attacker on the local network can gain access to sensitive data.

3) Command Injection (CVE-ID: CVE-2026-0766)

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to insufficient input validation within the load_tool_module_by_id function. A remote user can pass specially crafted data to the application and execute arbitrary commands.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://www.zerodayinitiative.com/advisories/ZDI-26-031/
• https://www.zerodayinitiative.com/advisories/ZDI-26-033/
• https://www.zerodayinitiative.com/advisories/ZDI-26-032/