Improper Authorization in Open WebUI - #VU135954
Published: June 30, 2026
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper authorization in the background automation scheduler when executing due scheduled automations for a deactivated owner. A remote user can keep a previously created automation scheduled and let it continue running after account deactivation to cause a denial of service.
Exploitation requires a previously created active automation and a later transition of the account to the pending role.