SB2026051165 - Multiple vulnerabilities in Open WebUI
Published: May 11, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 vulnerabilities.
1) Improperly Controlled Modification of Dynamically-Determined Object Attributes (CVE-ID: N/A)
The vulnerability allows a remote user to manipulate evaluation data and spoof feedback authorship.
The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the POST /api/v1/evaluations/feedback endpoint when processing feedback creation requests. A remote user can submit a specially crafted request with extra fields such as user_id to manipulate evaluation data and spoof feedback authorship.
The issue is caused by FeedbackForm accepting unexpected fields via extra='allow' and by insert_new_feedback() merging form data after server-derived values, allowing request-supplied fields to overwrite user_id, id, and version.
2) Missing Authentication for Critical Function (CVE-ID: N/A)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to missing authentication in get_status() in backend/open_webui/routers/retrieval.py when handling GET requests to /api/v1/retrieval/. A remote attacker can send an unauthenticated request to disclose sensitive information.
The endpoint returns live RAG pipeline configuration values including the RAG template, embedding model, embedding engine, reranking model, and chunking parameters.
3) Missing Authorization (CVE-ID: N/A)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to missing authorization in the tool update endpoint when processing update requests for tool content. A remote privileged user can send a specially crafted update request to execute arbitrary code.
Exploitation requires write access to an existing tool, and the issue bypasses the intended workspace.tools permission boundary for server-side code execution.
4) Cross-site scripting (CVE-ID: N/A)
The vulnerability allows a remote user to execute arbitrary script in the victim's browser and take over the victim's account.
The vulnerability exists due to cross-site scripting in the profile image handling and serving flow when processing an OAuth picture claim and serving the stored profile image as an inline SVG document. A remote user can set a crafted SVG picture URL via OAuth and trick a victim into opening the profile image URL to execute arbitrary script in the victim's browser and take over the victim's account.
User interaction is required, and exploitation requires OAuth signup to be enabled or OAuth picture synchronization on login to be enabled.
5) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to modify message pin status.
The vulnerability exists due to improper access control in the pin_channel_message API endpoint when handling pin and unpin requests for standard channels. A remote user can send a crafted request to modify message pin status.
In standard channels, the endpoint checks read permission instead of write permission, allowing users with read-only access to pin or unpin messages.
6) Authorization bypass through user-controlled key (CVE-ID: N/A)
The vulnerability allows a remote user to modify other users' messages.
The vulnerability exists due to improper access control in the update_message_by_id API endpoint when handling update requests for group or dm channels. A remote user can send a crafted update request for another member's message to modify other users' messages.
The issue affects the Channels feature and only applies when that feature is enabled. Messages posted by administrators within the same channel can also be modified.
7) Authorization bypass through user-controlled key (CVE-ID: N/A)
The vulnerability allows a remote user to read and modify another user's private knowledge base content and cause a denial of service.
The vulnerability exists due to authorization bypass through user-controlled key in the retrieval API endpoints when handling knowledge base collection names supplied as raw UUIDs. A remote user can send specially crafted retrieval API requests using a target knowledge base UUID to read private content, inject attacker-controlled content, or overwrite the knowledge base.
Exploitation requires an authenticated non-admin account and knowledge of a target knowledge base UUID.
8) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)
The vulnerability allows a remote user to perform server-side request forgery.
The vulnerability exists due to inconsistent URL parsing in validate_url when validating and fetching user-supplied URLs. A remote user can supply a specially crafted URL to perform server-side request forgery.
The issue is caused by a parsing difference between urllib.parse.urlparse and the requests library, which can make validation treat the destination as a public host while the actual request is sent to an internal host.
9) Authorization bypass through user-controlled key (CVE-ID: N/A)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to authorization bypass through a user-controlled key in the folder knowledge ingestion and knowledge-base file attach endpoints when processing a user-supplied file_id without verifying access to the referenced file. A remote user can attach another user's file to a folder or knowledge base they control to disclose sensitive information.
Knowledge of the target file UUID is required, and the knowledge-base attach path can also enable modification of the attached file's content.
10) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the /api/v1/models/model endpoint when handling requests for model details by id. A remote user can send a request for a shared model identifier to disclose sensitive information.
The issue exposes the model's system prompt to users who were granted read access for model use.
Remediation
Install update from vendor's website.
References
- https://github.com/open-webui/open-webui/security/advisories/GHSA-rjmp-vjf2-qf4g
- https://github.com/open-webui/open-webui/security/advisories/GHSA-65pg-qhhw-mxwg
- https://github.com/open-webui/open-webui/security/advisories/GHSA-p4fx-23fq-jfg6
- https://github.com/open-webui/open-webui/security/advisories/GHSA-3wgj-c2hg-vm6q
- https://github.com/advisories/GHSA-3wgj-c2hg-vm6q
- https://github.com/open-webui/open-webui/security/advisories/GHSA-5gc6-xhv4-2wg6
- https://github.com/open-webui/open-webui/commit/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8
- https://github.com/open-webui/open-webui/security/advisories/GHSA-wwhq-cx22-f7vv
- https://github.com/open-webui/open-webui
- https://github.com/open-webui/open-webui/security/advisories/GHSA-4g37-7p2c-38r9
- https://github.com/open-webui/open-webui/pull/22109
- https://github.com/open-webui/open-webui/security/advisories/GHSA-8w7q-q5jp-jvgx
- https://github.com/open-webui/open-webui/security/advisories/GHSA-r472-mw7m-967f
- https://github.com/open-webui/open-webui/security/advisories/GHSA-h2cw-7qw9-56xr