Information disclosure in Open WebUI - #VU136850

 

Information disclosure in Open WebUI - #VU136850

Published: July 3, 2026


Vulnerability identifier: #VU136850
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Open WebUI
Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the /api/v1/channels/{id}/members endpoint when handling requests for channel member listings. A remote user can send a request to the endpoint as a channel participant to disclose sensitive information.

Only instances with channels enabled are vulnerable. The endpoint returns full serialized user models for channel participants, including settings data such as webhook URLs and tool server key material.


Remediation

Install security update from vendor's website.

Sources