AI Threat Alert

Open WebUI Vulnerabilities

pip ML UI

38

Risk Score

92

Total CVEs

1

Critical

pip

Ecosystem

May 14, 2026

Last CVE

74%

Patch Rate

4d

Avg Time to Patch

137,383 stars 19,613 forks 302 issues Last push May 15, 2026

Known Vulnerabilities (92 total, page 2 of 4)

Severity CVE ID Summary CVSS Published

HIGH CVE-2026-45400 open-webui: SSRF bypass via URL parser mismatch 8.5 May 14, 2026 HIGH CVE-2026-45401 open-webui: SSRF redirect bypass exposes internal services 8.5 May 14, 2026 HIGH GHSA-3wgj-c2hg-vm6q open-webui: XSS via OAuth SVG picture → account takeover 7.3 May 14, 2026 HIGH CVE-2026-45402 open-webui: auth bypass exposes any user's private files via RAG 8.1 May 14, 2026 MEDIUM CVE-2026-45666 open-webui: IDOR exposes cross-user note data 6.5 May 14, 2026 MEDIUM CVE-2026-45667 open-webui: unauth endpoint drains embedding budget/DoS 6.5 May 14, 2026 HIGH CVE-2026-45671 Open WebUI: auth bypass enables mass file deletion 8.0 May 14, 2026 HIGH CVE-2026-45672 open-webui: code exec gate bypass via API endpoint 8.8 May 14, 2026 HIGH CVE-2026-45675 Open WebUI: TOCTOU race grants admin on first OAuth/LDAP 8.1 May 14, 2026 HIGH GHSA-6xcp-7mpr-m7wm open-webui: CORS misconfiguration enables 1-click RCE 8.3 May 11, 2026 HIGH CVE-2026-44565 open-webui: path traversal enables file write/delete 8.1 May 11, 2026 HIGH CVE-2026-44569 Open WebUI: IDOR enables cross-user message tampering 7.1 May 11, 2026 MEDIUM CVE-2026-44571 open-webui: auth bypass allows message tampering 6.5 May 11, 2026 HIGH CVE-2026-44570 open-webui: IDOR exposes cross-user AI memory data 8.3 May 11, 2026 MEDIUM CVE-2026-44564 open-webui: auth bypass in collaborative doc editing 5.4 May 8, 2026 MEDIUM CVE-2026-44561 open-webui: auth bypass exposes private group channels 5.4 May 8, 2026 MEDIUM CVE-2026-44560 open-webui: RAG auth bypass exposes private files 6.5 May 8, 2026 MEDIUM CVE-2026-44568 open-webui: XSS in pending overlay enables session hijack 4.8 May 8, 2026 HIGH CVE-2026-44549 open-webui: XSS via XLSX preview enables session hijack 7.3 May 8, 2026 HIGH CVE-2026-44567 Open WebUI: auth bypass gives pending users full LLM access 7.3 May 8, 2026 HIGH CVE-2026-44566 Open WebUI: path traversal + file upload leads to RCE 7.3 May 8, 2026 HIGH CVE-2026-44721 open-webui: XSS in model descriptions steals session tokens 7.3 May 8, 2026 CRITICAL CVE-2026-44551 open-webui: LDAP auth bypass — full account takeover 9.1 May 8, 2026 MEDIUM CVE-2026-44550 open-webui: mass assignment enables cross-user folder injection 5.0 May 8, 2026 HIGH CVE-2026-44553 open-webui: stale Socket.IO role allows cross-user note R/W 8.1 May 8, 2026

Showing 26–50 of 92

← Previous Next →

Monitor Open WebUI in your stack

Get instant alerts when new vulnerabilities affect Open WebUI. CISO analysis, ATLAS technique mappings, and compliance reports included.

Start Monitoring