AI Threat Alert AI Threat Alert

Open WebUI

pip ML UI
32
Total CVEs
0
Critical
pip
Ecosystem
Mar 27, 2026
Last CVE

Known Vulnerabilities (30+ shown)

Severity CVE ID Summary CVSS Published
HIGH CVE-2026-34222 Open WebUI: access control bypass leaks Tool Valve API keys 7.7 Apr 1, 2026 MEDIUM CVE-2026-28786 Open WebUI: path traversal leaks server filesystem path 4.3 Mar 27, 2026 HIGH CVE-2026-28788 Open WebUI: BOLA enables RAG poisoning via file overwrite 7.1 Mar 27, 2026 MEDIUM CVE-2026-29070 open-webui: missing authz allows cross-KB file deletion 5.4 Mar 27, 2026 LOW CVE-2026-29071 Open WebUI: IDOR exposes AI memories and private files 3.1 Mar 27, 2026 LOW CVE-2024-7038 open-webui: filesystem enumeration via admin error messages 2.7 Oct 9, 2024 MEDIUM CVE-2024-7037 open-webui: path traversal → arbitrary file write/RCE 6.5 Oct 9, 2024 MEDIUM CVE-2024-7041 open-webui: IDOR enables cross-user memory tampering 6.5 Oct 9, 2024 HIGH GHSA-5ccf-884p-4jjq open-webui: DoS via unauthenticated multipart parsing 7.5 Mar 20, 2025 HIGH CVE-2024-7043 Open WebUI: auth bypass exposes all user files 8.1 Mar 20, 2025 MEDIUM CVE-2024-7044 Open WebUI: Stored XSS via file upload, session hijack 6.8 Mar 20, 2025 MEDIUM CVE-2024-7045 open-webui: missing authz exposes admin prompts 4.3 Mar 20, 2025 HIGH CVE-2024-12537 Open-WebUI: unauthenticated DoS via code formatter 7.5 Mar 20, 2025 HIGH CVE-2024-7039 open-webui: Privilege bypass enables admin account deletion 8.3 Mar 20, 2025 MEDIUM CVE-2024-7034 open-webui: path traversal allows arbitrary file write/RCE 6.5 Mar 20, 2025 HIGH CVE-2024-12534 open-webui: unauthenticated DoS via login payload flood 7.5 Mar 20, 2025 MEDIUM CVE-2024-7033 open-webui: path traversal allows file write and RCE 6.5 Mar 20, 2025 MEDIUM CVE-2024-7046 Open WebUI: missing authz leaks admin credentials 4.3 Mar 20, 2025 HIGH CVE-2024-7053 open-webui: XSS enables admin session hijack via chat 7.6 Mar 20, 2025 HIGH GHSA-w466-2wfc-8g58 open-webui: DoS via starlette memory exhaustion 7.5 Mar 20, 2025 HIGH GHSA-6wj5-5pgr-jwq8 open-webui: DoS via malformed multipart boundary 7.5 Mar 20, 2025 HIGH CVE-2024-7806 Open-WebUI: CSRF enables RCE via pipeline code injection 8.0 Mar 20, 2025 HIGH CVE-2024-7983 open-webui: unauthenticated DoS via markdown parser 7.5 Mar 20, 2025 HIGH CVE-2024-8053 Open-WebUI: unauthenticated PDF endpoint enables DoS 7.5 Mar 20, 2025 HIGH CVE-2024-8060 OpenWebUI: path traversal RCE via audio upload API 8.1 Mar 20, 2025 HIGH CVE-2024-7990 open-webui: Stored XSS enables admin session hijack 8.4 Mar 20, 2025 MEDIUM CVE-2024-7035 Open WebUI: CSRF wipes RAG DB and AI memories via GET 6.9 Mar 20, 2025 HIGH CVE-2024-7036 open-webui: unauthenticated DoS disables Admin panel 7.5 Mar 20, 2025 HIGH CVE-2025-64495 Open WebUI: XSS-to-RCE via malicious prompt injection 8.7 Nov 7, 2025 HIGH CVE-2025-64496 open-webui: Code Injection enables RCE 7.3 Nov 7, 2025

Monitor Open WebUI in your stack

Get instant alerts when new vulnerabilities affect Open WebUI. CISO analysis, ATLAS technique mappings, and compliance reports included.

Start Monitoring