Browse all 40 CVE security advisories affecting open-webui. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Open-webui serves as a self-hosted, feature-rich interface for interacting with large language models, primarily enabling users to deploy and manage AI applications locally or within private networks. Its architecture, which bridges web clients with backend model services, has historically exposed it to critical vulnerabilities, including Remote Code Execution (RCE), Cross-Site Scripting (XSS), and improper access control issues. With forty recorded CVEs, the software frequently suffers from insecure direct object references and authentication bypasses, often stemming from complex integration layers between the UI and underlying model APIs. Recent incidents highlight risks related to unvalidated file uploads and session management flaws, allowing attackers to escalate privileges or execute arbitrary commands. These recurring security gaps underscore the necessity for rigorous input validation and strict permission controls when deploying open-webui in production environments, particularly given its role in handling sensitive data interactions.
This page lists every published CVE security advisory associated with open-webui. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.