Incorrect authorization in Open WebUI - #VU135956
Published: June 30, 2026
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote user to bypass authorization controls and cause a denial of service through billable resource consumption.
The vulnerability exists due to incorrect authorization in the POST /api/v1/images/edit endpoint when handling image edit requests. A remote user can send a specially crafted request to bypass authorization controls and cause a denial of service through billable resource consumption.
The issue affects verified non-admin users and exposes an administrator-only image-editing capability through the direct route.