Openwebui Security Vulnerabilities (CVEs)
Track 29 security vulnerabilities affecting Openwebui products and software. Get instant email alerts when new CVEs are discovered, automated security monitoring, and patch guidance.
This stored cross-site scripting (XSS) vulnerability in Open WebUI allows attackers to inject malicious HTML into chat history metadata, which gets ex...
Feb 19, 2026This vulnerability allows authenticated remote attackers to execute arbitrary system commands on Open WebUI installations. Attackers can inject malici...
Jan 23, 2026This vulnerability allows authenticated remote attackers to execute arbitrary Python code on Open WebUI installations via command injection in the loa...
Jan 23, 2026Open WebUI transmits credentials in plaintext, allowing network-adjacent attackers to intercept authentication data without authentication. This affec...
Jan 23, 2026An authentication bypass vulnerability in Open-WebUI's /api/config endpoint allows unauthenticated remote attackers to access sensitive system configu...
Dec 18, 2025A stored cross-site scripting (XSS) vulnerability in Open WebUI allows authenticated users to upload malicious Markdown files containing SVG tags that...
Dec 4, 2025Open WebUI versions before 0.6.37 contain a Server-Side Request Forgery (SSRF) vulnerability that allows any authenticated user to make the server sen...
Dec 4, 2025Open WebUI v0.6.33 has an access control vulnerability where the /api/tasks/stop/ endpoint allows any authenticated user to cancel arbitrary LLM respo...
Dec 4, 2025Open WebUI versions 0.6.34 and below contain a DOM-based cross-site scripting (XSS) vulnerability in the custom prompt insertion feature. When 'Insert...
Nov 8, 2025Open WebUI versions 0.6.224 and earlier contain a code injection vulnerability in the Direct Connections feature. Malicious external model servers can...
Nov 8, 2025Open WebUI versions before 0.6.6 contain a stored cross-site scripting (XSS) vulnerability where attackers can inject JavaScript into chat messages. W...
May 5, 2025This vulnerability in open-webui v0.3.10 allows unauthenticated attackers to access the PDF generation endpoint, potentially causing denial of service...
Mar 20, 2025This vulnerability in open-webui version 0.3.8 exposes an unauthenticated markdown-to-HTML conversion endpoint. Attackers can send specially crafted m...
Mar 20, 2025A stored XSS vulnerability in open-webui version 0.3.8 allows attackers to inject malicious scripts via the model description field. When executed, th...
Mar 20, 2025A cross-site scripting (XSS) vulnerability in open-webui versions up to 0.3.8 allows attackers to inject malicious scripts into tooltips. When exploit...
Mar 20, 2025This vulnerability allows non-admin users to execute arbitrary code remotely via CSRF attacks in open-webui versions up to 0.3.8. Attackers can craft ...
Mar 20, 2025This vulnerability allows an attacker with a user-level account to perform a session fixation attack in open-webui/open-webui version 0.3.8. By embedd...
Mar 20, 2025CVE-2024-7034 allows attackers to write arbitrary files on systems running vulnerable open-webui versions by exploiting directory traversal in file up...
Mar 20, 2025This CSRF vulnerability in open-webui/open-webui v0.3.8 allows attackers to trick authenticated users into performing sensitive actions like deleting ...
Mar 20, 2025An unauthenticated attacker can cause denial-of-service by submitting excessively large text in the 'name' field during signup, making the Admin panel...
Mar 20, 2025This vulnerability allows an authenticated admin user to delete other administrators through direct API calls, bypassing UI restrictions. It affects o...
Mar 20, 2025An improper access control vulnerability in Open WebUI v0.3.8 allows unauthenticated attackers to view and delete any files uploaded by users. Attacke...
Mar 20, 2025A stored XSS vulnerability in open-webui version 0.3.8 allows attackers to upload malicious files containing JavaScript. When victims access these fil...
Mar 20, 2025This vulnerability in open-webui v0.3.8 allows attackers to bypass access controls and view all prompts created by administrators. Attackers can retri...
Mar 20, 2025This vulnerability allows attackers to write arbitrary files to the server's filesystem by manipulating file paths in the download_model endpoint. It ...
Mar 20, 2025This vulnerability in open-webui/open-webui allows unauthenticated attackers to submit extremely large payloads in email and password fields during si...
Mar 20, 2025This vulnerability in open-webui version 0.3.32 allows unauthenticated attackers to send large POST requests to the /api/v1/utils/code/format endpoint...
Mar 20, 2025This vulnerability allows users with pending roles to obtain authentication tokens and perform unauthorized actions without admin approval. It affects...
Oct 10, 2024This CVE describes a path traversal vulnerability that allows attackers to upload malicious files to arbitrary locations on the web server's filesyste...
Aug 7, 2024Why Monitor Openwebui Security Vulnerabilities?
Real-time CVE tracking: Our automated system monitors 29+ known vulnerabilities affecting Openwebui products and software packages. Stay ahead of emerging threats with instant email notifications when new security issues are discovered.
Automated security monitoring: Unlike manual CVE checking, FixTheCVE automatically scans your servers and detects vulnerable Openwebui packages in under 60 seconds. No agents required - completely agentless scanning that works across Openwebui deployments.
Free vulnerability database: Access detailed information about every Openwebui CVE including CVSS scores, severity ratings, affected versions, and actionable patch guidance. Filter by critical, high, medium, or low severity to prioritize your security remediation efforts.
🚀 Get Started in 60 Seconds
- Register free account & add your servers
- Run one-time scan or schedule automatic monitoring (every 1-24 hours)
- Receive instant alerts when new Openwebui CVEs affect your systems
- Access dashboard with severity breakdown & fix instructions
