SB2026063039 - Multiple vulnerabilities in Open WebUI



SB2026063039 - Multiple vulnerabilities in Open WebUI

Published: June 30, 2026

Security Bulletin ID SB2026063039
CSH Severity
High
Patch available
YES
Number of vulnerabilities 15
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 7% Medium 13% Low 80%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 15 vulnerabilities.


1) Improper access control (CVE-ID: CVE-2026-54016)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the builtin search_knowledge_files tool when handling a user-supplied knowledge_id in the no attached knowledge branch. A remote user can supply an arbitrary knowledge_id to enumerate metadata for files in a knowledge base without authorization to disclose sensitive information.

Exploitation requires native function calling to be enabled, builtin tools and the knowledge tool category to be enabled, the selected model to have no attached knowledge bases, and knowledge of a valid target knowledge_id.


2) Path traversal (CVE-ID: CVE-2026-54014)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to path traversal in serve_cache_file() in open_webui/main.py when handling GET requests to /cache/{path}. A remote user can send a specially crafted request using a sibling-prefix traversal path to disclose sensitive information.

Only sibling directories whose names begin with "cache" are reachable through the bypass. Deep traversal and absolute paths are blocked, and delivering the payload may require a raw HTTP or ASGI request because some clients normalize ".." segments.


3) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-54015)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information and delete prompt history entries.

The vulnerability exists due to authorization bypass through user-controlled key in prompt version-history endpoints when handling caller-supplied history IDs that are not bound to the authorized prompt. A remote user can supply a victim prompt history ID to read another user's prompt snapshots or delete another user's history entry to disclose sensitive information and delete prompt history entries.

Exploitation requires knowing or obtaining victim prompt history UUIDs. The delete impact is limited to version-history entries and does not destroy the active prompt row.


4) Missing Authorization (CVE-ID: CVE-2026-54012)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to read and delete other users' files.

The vulnerability exists due to improper authorization in model metadata handling and file access control when storing and using forged meta.knowledge file references. A remote user can create, update, or import a workspace model with a specially crafted meta.knowledge entry to read file content or delete the referenced file.

Exploitation requires the ability to create, update, or import workspace models and knowledge of a victim file ID.


5) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-54010)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to read arbitrary files belonging to other users.

The vulnerability exists due to authorization bypass through a user-controlled key in chat-file association handling when attaching a crafted file_id to a chat message and accessing the shared chat file content endpoint. A remote user can attach an arbitrary victim file_id to an attacker-controlled chat and then request the file content endpoint to read arbitrary files belonging to other users.

The issue requires knowledge of a victim file_id and relies on shared chat access being used to satisfy file authorization.


6) Improper Neutralization of Special Elements in Data Query Logic (CVE-ID: CVE-2026-54019)

CWE-ID: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper neutralization of special elements in data query logic in the Milvus multitenancy retrieval query handling when processing user-supplied collection names. A remote user can send a specially crafted query request to disclose sensitive information.

Only deployments using Milvus multitenancy mode are vulnerable, and no user interaction is required.


7) Cross-site scripting (CVE-ID: CVE-2026-54013)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute script in the victim's browser and take over accounts.

The vulnerability exists due to cross-site scripting in the model profile image handling endpoint when rendering a stored crafted SVG image. A remote user can create a model with a specially crafted profile_image_url and induce a victim to open the model image URL to execute script in the victim's browser and take over accounts.

User interaction is required to navigate to the model image URL, and exploitation requires permission to create or modify models.


8) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-54008)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to disclose sensitive information from internal network resources.

The vulnerability exists due to server-side request forgery (SSRF) in _process_picture_url in backend/open_webui/utils/oauth.py when processing an OAuth picture URL that redirects to an internal address. A remote user can supply a public URL in the OAuth picture claim that returns a redirect to an internal resource to disclose sensitive information from internal network resources.

Exploitation requires OAuth signup or picture update on login to be enabled, and the attacker-controlled response body is base64-encoded into the user's profile_image_url field where it can be read back.


9) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-54009)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the convert_url_images_to_base64 image_url file resolution path when processing chat completion requests with a non-http image_url.url value treated as a file id. A remote user can submit a crafted chat completion request referencing another user's file id to disclose sensitive information.

Exploitation requires a valid file id and is limited to content that the LLM accepts through the image_url attachment flow.


10) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-54006)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify another user's calendar contents.

The vulnerability exists due to authorization bypass through a user-controlled key in the POST /api/v1/calendars/events/{event_id}/update endpoint when updating an event's destination calendar_id. A remote user can send a crafted update request to modify another user's calendar contents.

The issue is reachable in the default configuration with calendar features enabled, and exploitation requires knowledge of the destination calendar ID.


11) Cross-site scripting (CVE-ID: CVE-2026-54011)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser under the application origin.

The vulnerability exists due to cross-site scripting in the Mermaid markdown preview renderer when rendering attacker-controlled Mermaid content from a Markdown file. A remote user can upload or provide a specially crafted Markdown file to execute arbitrary JavaScript in the victim's browser under the application origin.

User interaction is required to open the crafted Markdown file in the preview panel.


12) Origin validation error (CVE-ID: CVE-2026-54007)

CWE-ID: CWE-346 - Origin Validation Error

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to trigger unauthorized prompt submission and model or tool execution under the victim's session.

The vulnerability exists due to improper origin validation in the chat message listener in src/lib/components/chat/Chat.svelte when processing cross-origin postMessage messages. A remote attacker can send crafted input:prompt and action:submit messages to trigger unauthorized prompt submission and model or tool execution under the victim's session.

The victim must be authenticated to Open WebUI in the browser, and user interaction is required to click on the attacker-controlled page.


13) Improper access control (CVE-ID: CVE-2026-54021)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to access restricted Ollama backend resources.

The vulnerability exists due to improper access control in indexed Ollama proxy routes in backend/open_webui/routers/ollama.py when handling caller-supplied url_idx path parameters. A remote user can supply a crafted url_idx value to access restricted Ollama backend resources.

Requests are forwarded using the target backend's configured API key, and admin-disabled backends remain reachable through indexed routes because the disabled state is not re-checked at request time.


14) Path traversal (CVE-ID: CVE-2026-54017)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to access unintended endpoints and files on the terminal-server host and reach internal services via server-side request forgery.

The vulnerability exists due to path traversal in the terminal-server reverse proxy in backend/open_webui/routers/terminals.py when forwarding a user-controlled path segment to an admin-configured terminal server. A remote user can send a specially crafted request containing encoded traversal sequences to access unintended endpoints and files on the terminal-server host and reach internal services via server-side request forgery.

Exploitation requires that the user has been granted access to a terminal server, and the policy_id form can allow traversal outside the intended policy namespace.


15) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-54018)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to access internal services and disclose sensitive information.

The vulnerability exists due to improper control of server-side request forgery in SafePlaywrightURLLoader validate_url and Playwright page.goto when following HTTP redirects. A remote user can supply a benign-looking URL that redirects to an internal address to access internal services and disclose sensitive information.

Only the Playwright-based web loader is affected, and the issue can be triggered even when ENABLE_RAG_LOCAL_WEB_FETCH is set to false.


Remediation

Install update from vendor's website.

References