AI Threat Alert

Open WebUI Vulnerabilities

pip ML UI

38

Risk Score

92

Total CVEs

1

Critical

pip

Ecosystem

May 14, 2026

Last CVE

74%

Patch Rate

4d

Avg Time to Patch

137,383 stars 19,613 forks 302 issues Last push May 15, 2026

Known Vulnerabilities (92 total, page 3 of 4)

Severity CVE ID Summary CVSS Published

HIGH CVE-2026-44552 open-webui: Redis cache poisoning enables cross-instance tool hijack 8.7 May 8, 2026 HIGH CVE-2026-44555 open-webui: access control bypass via model chaining 7.6 May 8, 2026 HIGH CVE-2026-44556 open-webui: auth bypass allows unrestricted model access 7.1 May 8, 2026 MEDIUM CVE-2026-44558 open-webui: permission bypass exposes channels publicly 5.4 May 8, 2026 HIGH CVE-2026-44554 open-webui: RAG poisoning via unauthorized KB overwrite 8.1 May 8, 2026 MEDIUM CVE-2026-44557 open-webui: auth bypass exposes all knowledge base metadata 4.3 May 8, 2026 MEDIUM CVE-2026-44559 open-webui: private channel member list exposed to any user 4.3 May 8, 2026 MEDIUM CVE-2026-44562 open-webui: missing authz enables model hijacking 6.5 May 8, 2026 MEDIUM CVE-2026-44563 open-webui: auth bypass exposes restricted LLM models 5.4 May 8, 2026 HIGH CVE-2026-34222 Open WebUI: access control bypass leaks Tool Valve API keys 7.7 Apr 1, 2026 MEDIUM CVE-2026-28786 Open WebUI: path traversal leaks server filesystem path 4.3 Mar 27, 2026 HIGH CVE-2026-28788 Open WebUI: BOLA enables RAG poisoning via file overwrite 7.1 Mar 27, 2026 MEDIUM CVE-2026-29070 open-webui: missing authz allows cross-KB file deletion 5.4 Mar 27, 2026 LOW CVE-2026-29071 Open WebUI: IDOR exposes AI memories and private files 3.1 Mar 27, 2026 LOW CVE-2024-7038 open-webui: filesystem enumeration via admin error messages 2.7 Oct 9, 2024 MEDIUM CVE-2024-7037 open-webui: path traversal → arbitrary file write/RCE 6.5 Oct 9, 2024 MEDIUM CVE-2024-7041 open-webui: IDOR enables cross-user memory tampering 6.5 Oct 9, 2024 HIGH GHSA-5ccf-884p-4jjq open-webui: DoS via unauthenticated multipart parsing 7.5 Mar 20, 2025 HIGH CVE-2024-7043 Open WebUI: auth bypass exposes all user files 8.1 Mar 20, 2025 MEDIUM CVE-2024-7044 Open WebUI: Stored XSS via file upload, session hijack 6.8 Mar 20, 2025 MEDIUM CVE-2024-7045 open-webui: missing authz exposes admin prompts 4.3 Mar 20, 2025 HIGH CVE-2024-12537 Open-WebUI: unauthenticated DoS via code formatter 7.5 Mar 20, 2025 HIGH CVE-2024-7039 open-webui: Privilege bypass enables admin account deletion 8.3 Mar 20, 2025 MEDIUM CVE-2024-7034 open-webui: path traversal allows arbitrary file write/RCE 6.5 Mar 20, 2025 HIGH CVE-2024-12534 open-webui: unauthenticated DoS via login payload flood 7.5 Mar 20, 2025

Showing 51–75 of 92

← Previous Next →

Monitor Open WebUI in your stack

Get instant alerts when new vulnerabilities affect Open WebUI. CISO analysis, ATLAS technique mappings, and compliance reports included.

Start Monitoring