Information disclosure in Open WebUI - #VU136850
Published: July 3, 2026
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in the /api/v1/channels/{id}/members endpoint when handling requests for channel member listings. A remote user can send a request to the endpoint as a channel participant to disclose sensitive information.
Only instances with channels enabled are vulnerable. The endpoint returns full serialized user models for channel participants, including settings data such as webhook URLs and tool server key material.