Open WebUI (Python) – Support, CVEs & Health

GHSA-24c9-2m8q-qhmh CVSS_V3

Open WebUI Vulnerable to SSRF via OAuth Profile Picture URL in _process_picture_url (oauth.py)

Published: 2026-05-14 Fixed in: 0.9.0

GHSA-26g9-27vm-x3q8 CVSS_V3

Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion

Published: 2026-05-14 Fixed in: 0.9.0

GHSA-26gm-93rw-cchf CVSS_V3

Open WebUI has unauthorized deletion of knowledge files

Published: 2026-03-27 Fixed in: 0.8.6

GHSA-2r4p-jpmg-48f4 CVSS_V3

Open WebUI has an LDAP Empty Password Authentication Bypass

Published: 2026-05-08 Fixed in: 0.9.0

GHSA-3856-3vxq-m6fc CVSS_V4

Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image

Published: 2026-05-14 Fixed in: 0.9.3

GHSA-3p9q-7w63-3f8q CVSS_V3

Open WebUI Allows Arbitrary File Write via the `download_model` Endpoint

Published: 2025-03-20 No fix available

GHSA-3wgj-c2hg-vm6q CVSS_V3

Open WebUI vulnerable to stored XSS via OAuth picture claim stored as SVG data URI in profile_image_url

Published: 2026-05-14 Fixed in: 0.9.5

GHSA-3x8w-4f7p-xxc2 CVSS_V3

Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning

Published: 2026-05-08 Fixed in: 0.9.0

GHSA-43g4-487m-5q6m CVSS_V3

Open WebUI Vulnerable to a Session Fixation Attack

Published: 2025-03-20 No fix available

GHSA-45m8-cpm2-3v65 CVSS_V3

Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access

Published: 2026-05-08 Fixed in: 0.9.0

Open WebUI