SB2026063040 - Multiple vulnerabilities in Open WebUI



SB2026063040 - Multiple vulnerabilities in Open WebUI

Published: June 30, 2026 Updated: July 3, 2026

Security Bulletin ID SB2026063040
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 19
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 11% Low 89%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 19 vulnerabilities.


1) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary code on the server.

The vulnerability exists due to cross-site scripting in the Pyodide code execution feature when processing Python code stored in a shared chat and executed in a same-origin worker. A remote user can store a crafted payload in a shared chat and induce the victim to click Run to execute arbitrary code on the server.

User interaction is required, and exploitation for server-side code execution depends on the victim having admin privileges or the workspace.functions or workspace.tools permissions. Open WebUI must be configured to use Pyodide.


2) Improper Authorization (CVE-ID: N/A)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper authorization in the background automation scheduler when executing due scheduled automations for a deactivated owner. A remote user can keep a previously created automation scheduled and let it continue running after account deactivation to cause a denial of service.

Exploitation requires a previously created active automation and a later transition of the account to the pending role.


3) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass model access restrictions.

The vulnerability exists due to incorrect authorization in model access control checks when validating access for a stored automation model ID. A remote user can rely on a pending role falling through the access-control logic to bypass model access restrictions.

This issue affects non-admin roles because private-model grants were enforced only for the exact role user.


4) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass authorization controls and cause a denial of service through billable resource consumption.

The vulnerability exists due to incorrect authorization in the POST /api/v1/images/edit endpoint when handling image edit requests. A remote user can send a specially crafted request to bypass authorization controls and cause a denial of service through billable resource consumption.

The issue affects verified non-admin users and exposes an administrator-only image-editing capability through the direct route.


5) Inefficient regular expression complexity (CVE-ID: N/A)

CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to inefficient regular expression complexity in skill-mention regexes in backend/open_webui/utils/middleware.py when processing chat messages or retrieved content containing a skill-mention pattern without a closing >. A remote user can send a specially crafted chat message to cause a denial of service.

The affected regex processing runs synchronously on the asyncio event loop on every chat completion with no feature gate, and benign retrieved content such as a RAG chunk or tool output can also trigger the issue.


6) Information Exposure Through Timing Discrepancy (CVE-ID: N/A)

CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information about account existence.

The vulnerability exists due to observable timing discrepancy in /api/v1/auths/signin when handling signin requests. A remote attacker can send repeated login requests and measure response times to disclose sensitive information about account existence.

The response body remained the same for attempts, and the disclosure was limited to whether an email address was registered.


7) Missing Authorization (CVE-ID: N/A)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify knowledge-base file membership.

The vulnerability exists due to improper access control in the upload auto-link path in file upload background processing when processing user-supplied upload metadata. A remote user can supply a crafted metadata.knowledge_id value during file upload to modify knowledge-base file membership.

The issue requires a verified account and a valid target knowledge-base ID. A user with read access but without write access to the target knowledge base can exploit it.


8) Missing Authorization (CVE-ID: N/A)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary code in another user's authenticated browser session and, if the victim is an administrator, execute arbitrary code on the server.

The vulnerability exists due to missing authorization in the Socket.IO event-caller get_event_call() when processing a client-supplied session_id. A remote user can send a specially crafted chat completion request with another user's session identifier to execute arbitrary code in another user's authenticated browser session and, if the victim is an administrator, execute arbitrary code on the server.

Exploitation requires user interaction and access to a shared note that exposes the victim's live socket identifier to a read-access participant.


9) Improper Authorization (CVE-ID: N/A)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to continue accessing realtime features with a revoked JWT.

The vulnerability exists due to improper access control in realtime authentication endpoints when validating JWTs for new Socket.IO or terminal websocket connections. A remote user can present a revoked token to continue accessing realtime features with a revoked JWT.

Only deployments with Redis configured are vulnerable. HTTP authentication correctly rejects the revoked token, but realtime connection paths still accept it. Terminal websocket access is affected only when terminal servers are configured.


10) Missing Authorization (CVE-ID: N/A)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to overwrite messages in channels they do not belong to.

The vulnerability exists due to improper access control in the chat completion API channel pipeline when handling chat completion requests with a channel:-prefixed chat_id and attacker-controlled message_id values. A remote user can send a specially crafted chat completion request to overwrite messages in channels they do not belong to.

The overwritten message retains the original author attribution while displaying attacker-controlled content, including in private and direct-message channels.


11) Missing Authentication for Critical Function (CVE-ID: N/A)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to manipulate collaborative document session state.

The vulnerability exists due to missing authentication for critical function in the Socket.IO Ydoc event handlers `ydoc:awareness:update` and `ydoc:document:leave` when handling WebSocket events for collaborative document sessions. A remote user can send crafted Socket.IO events with spoofed user identifiers to manipulate collaborative document session state.

This can be used to spoof user presence and cursor awareness data in document rooms, and to broadcast false user-left events.


12) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify or delete another user's file.

The vulnerability exists due to improper access control in model meta.knowledge file handling when attaching a readable file ID to an attacker-controlled workspace model. A remote user can create or update a model that references the file to modify or delete another user's file.

Exploitation requires Models workspace access and read-only access to the target file through a knowledge-base grant.


13) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in get_all_models handlers in routers/openai.py and routers/ollama.py when caching permission-filtered model lists. A remote user can request the model list within the cache ttl window to disclose sensitive information.

The exposure is timing-dependent and limited to the most recently cached permission-filtered model list, and the attacker cannot choose which other user's list is returned.


14) Authorization bypass through user-controlled key (CVE-ID: N/A)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key in the channel thread message retrieval logic when handling a thread request with a caller-supplied message id. A remote user can request a thread in an accessible channel while supplying a private channel's message id as the thread root to disclose sensitive information.

The issue can expose the message content, channel id, and author metadata from a private channel, and direct access to the victim channel may still be denied.


15) Authentication Bypass by Spoofing (CVE-ID: N/A)

CWE-ID: CWE-290 - Authentication Bypass by Spoofing

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to spoof another user's identity to access that user's terminal scope.

The vulnerability exists due to authentication bypass by spoofing in the terminal proxy in backend/open_webui/routers/terminals.py when forwarding terminal identity to the upstream terminal server or backend coordinator. A remote user can supply crafted terminal requests or a crafted session_id value to make the upstream resolve a spoofed user identity and access that user's terminal scope.

On the WebSocket path, exploitation can allow attaching to a live PTY when a valid active session ID is known, such as one exposed through a shared chat.


16) Protection mechanism failure (CVE-ID: N/A)

CWE-ID: CWE-693 - Protection Mechanism Failure

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information from administrator-blocked publicly resolvable hosts.

The vulnerability exists due to protection mechanism failure in WEB_FETCH_FILTER_LIST hostname filtering when processing server-side web fetch URLs. A remote user can trigger a server-side web fetch using a crafted URL to disclose sensitive information from administrator-blocked publicly resolvable hosts.

The issue affects the allow/block list used by RAG URL ingestion, URL-to-markdown, and web-search content fetch. Fetched content is returned to the requester. This issue does not bypass the separate always-on guard that blocks URLs resolving to non-global IP addresses when local web fetch is disabled, which is the default.


17) Information disclosure (CVE-ID: N/A)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the /api/v1/channels/{id}/members endpoint when handling requests for channel member listings. A remote user can send a request to the endpoint as a channel participant to disclose sensitive information.

Only instances with channels enabled are vulnerable. The endpoint returns full serialized user models for channel participants, including settings data such as webhook URLs and tool server key material.


18) Missing Authorization (CVE-ID: N/A)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass model access controls and disclose restricted model output.

The vulnerability exists due to missing authorization in task endpoints and the arena fallback resolver in generate_chat_completion() when handling task completion requests through a readable arena wrapper model that resolves to a restricted underlying model. A remote user can send a crafted task completion request to bypass model access controls and disclose restricted model output.

The issue affects task routes that call generate_chat_completion() directly, where arena fallback recursion uses bypass_filter=true after wrapper access is checked. The caller must be able to read the arena wrapper model.


19) Path traversal (CVE-ID: N/A)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to access paths outside the intended terminal proxy path boundary.

The vulnerability exists due to path traversal in _sanitize_proxy_path() in backend/open_webui/routers/terminals.py when processing a 9x percent-encoded traversal path through the terminal proxy. A remote user can send a specially crafted path parameter to access paths outside the intended terminal proxy path boundary.

Exploitation requires access to an existing admin-configured terminal connection, and forwarded requests use the configured terminal credentials and X-User-Id header.


Remediation

Install update from vendor's website.

References