Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

5,090 advisories

Loading
Open WebUI: Jupyter code execution works despite `ENABLE_CODE_EXECUTION=false` — feature gate bypassed High
CVE-2026-45672 was published for open-webui (pip) May 14, 2026
aliceQWAS Credited to aliceQWAS
Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints High
CVE-2026-45402 was published for open-webui (pip) May 14, 2026
MrBeard-FT Credited to MrBeard-FT and Classic298 Classic298 Classic298
Open WebUI has a SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints (not addressed by CVE-2025-65958) High
CVE-2026-45401 was published for open-webui (pip) May 14, 2026
tenbbughunters Credited to tenbbughunters, YLChen-007, sneaXOR, Classic298, and nayakchinmohan YLChen-007 YLChen-007
sneaXOR sneaXOR Classic298 Classic298 nayakchinmohan nayakchinmohan
Open WebUI has a Server-Side Request Forgery (SSRF) bypass in `validate_url` High
CVE-2026-45400 was published for open-webui (pip) May 14, 2026
Fushuling Credited to Fushuling, RacerZ-fighting, and Classic298 RacerZ-fighting RacerZ-fighting
Classic298 Classic298
Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls High
CVE-2026-45398 was published for open-webui (pip) May 14, 2026
tenbbughunters Credited to tenbbughunters, johnatzeropath, and LeftenantZero johnatzeropath johnatzeropath
LeftenantZero LeftenantZero
Open WebUI Vulnerable to Unauthenticated RAG Configuration Disclosure Moderate
CVE-2026-45397 was published for open-webui (pip) May 14, 2026
0xRyuzak1 Credited to 0xRyuzak1
Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation Moderate
CVE-2026-45396 was published for open-webui (pip) May 14, 2026
yantongggg Credited to yantongggg
Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts High
CVE-2026-45675 was published for open-webui (pip) May 14, 2026
sfwani Credited to sfwani and Classic298 Classic298 Classic298
Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion High
CVE-2026-45671 was published for open-webui (pip) May 14, 2026
Inar1Dev Credited to Inar1Dev
Open WebUI: Low-privilege authenticated users can enumerate and stop global background tasks, causing system-wide chat disruption High
CVE-2026-45399 was published for open-webui (pip) May 14, 2026
naruto3co Credited to naruto3co
Open WebUI: Sharing models for others to use (read permission) also exposes model details (system prompt leakage) Moderate
CVE-2026-45387 was published for open-webui (pip) May 14, 2026
Open WebUI has an IDOR vulnerability in the pin_channel_message API endpoint Moderate
CVE-2026-45386 was published for open-webui (pip) May 14, 2026
kikayli Credited to kikayli and Classic298 Classic298 Classic298
Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint Moderate
CVE-2026-45385 was published for open-webui (pip) May 14, 2026
kikayli Credited to kikayli and Classic298 Classic298 Classic298
Open WebUI has Broken Access Control for Completions API High
CVE-2026-45349 was published for open-webui (pip) May 14, 2026
savvaki Credited to savvaki
Open WebUI's API key endpoint restrictions bypassed via `x-api-key` header — full message processing on restricted endpoints Moderate
CVE-2026-45339 was published for open-webu (pip) May 14, 2026
aliceQWAS Credited to aliceQWAS and Classic298 Classic298 Classic298
Open WebUI has a full SSRF Vulnerability in the RAG Web Search Feature High
CVE-2026-45331 was published for open-webui (pip) May 14, 2026
dkonis Credited to dkonis, wlayzz, and Classic298 wlayzz wlayzz
Classic298 Classic298
Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order Moderate
CVE-2026-44568 was published for open-webui (pip) May 8, 2026
morimori-dev Credited to morimori-dev and Classic298 Classic298 Classic298
Open WebUI has Unauthorized File and Knowledge Base Content Access via RAG Vector Search Moderate
CVE-2026-44560 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels Moderate
CVE-2026-44561 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Read-Only Open WebUI Users Can Modify Collaborative Documents via Socket.IO Moderate
CVE-2026-44564 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI's Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show Moderate
CVE-2026-44563 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI's Model Import Overwrites Any Model Without Ownership Check Moderate
CVE-2026-44562 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI Missing Access Check on Channel Members Endpoint for Standard Channels Moderate
CVE-2026-44559 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection Moderate
CVE-2026-44557 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI has Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite High
CVE-2026-44554 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database