GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
44 advisories
praisonai-platform: Issue endpoints accept any issue_id without workspace ownership check, cross-workspace read/update/delete IDOR
High
CVE-2026-47415
was published
for
praisonai-platform
(pip)
Jun 1, 2026
praisonai-platform: Comment endpoints accept any issue_id without workspace ownership check, cross-workspace comment read and post IDOR
High
CVE-2026-47417
was published
for
praisonai-platform
(pip)
Jun 1, 2026
praisonai-platform: Project endpoints accept any project_id without workspace ownership check, cross-workspace read/update/delete IDOR
High
CVE-2026-47418
was published
for
praisonai-platform
(pip)
Jun 1, 2026
praisonai-platform: Label endpoints' unchecked label_id/issue_id enable cross-workspace label IDOR (edit, delete, link)
High
CVE-2026-47414
was published
for
praisonai-platform
(pip)
May 29, 2026
PraisonAI Platform workspace-scoped routes allow cross-workspace object access by global object ID
High
CVE-2026-47399
was published
for
praisonai-platform
(pip)
May 29, 2026
PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation
Critical
CVE-2026-47407
was published
for
praisonai-platform
(pip)
May 29, 2026
PraisonAI has Cross-Workspace IDOR and Privilege Escalation via Platform API
High
CVE-2026-48169
was published
for
praisonai-platform
(pip)
May 29, 2026
Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion
High
CVE-2026-45671
was published
for
open-webui
(pip)
May 14, 2026
Open WebUI has an Indirect Object Reference (IDOR) in user notes
Moderate
CVE-2026-45666
was published
for
open-webui
(pip)
May 14, 2026
Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints
High
CVE-2026-45402
was published
for
open-webui
(pip)
May 14, 2026
Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls
High
CVE-2026-45398
was published
for
open-webui
(pip)
May 14, 2026
Open WebUI has an IDOR vulnerability in the pin_channel_message API endpoint
Moderate
CVE-2026-45386
was published
for
open-webui
(pip)
May 14, 2026
Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint
Moderate
CVE-2026-45385
was published
for
open-webui
(pip)
May 14, 2026
Open WebUI has Broken Access Control for Completions API
High
CVE-2026-45349
was published
for
open-webui
(pip)
May 14, 2026
Aegra has cross-user run injection in /threads/{thread_id}/runs (IDOR)
High
CVE-2026-44504
was published
for
aegra-api
(pip)
May 7, 2026
Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check
High
CVE-2026-34046
was published
for
langflow
(pip)
Mar 27, 2026
Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories
Low
CVE-2026-29071
was published
for
open-webui
(pip)
Mar 27, 2026
Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite
High
CVE-2026-28788
was published
for
open-webui
(pip)
Mar 27, 2026
langflow has Unauthenticated IDOR on Image Downloads
High
CVE-2026-33484
was published
for
langflow
(pip)
Mar 20, 2026
Langflow is Missing Ownership Verification in API Key Deletion (IDOR)
High
CVE-2026-33053
was published
for
langflow
(pip)
Mar 18, 2026
wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup
Moderate
CVE-2026-27839
was published
for
wger
(pip)
Feb 26, 2026
wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data
Low
CVE-2026-27838
was published
for
wger
(pip)
Feb 26, 2026
ProTip!
Advisories are also available from the
GraphQL API