Skip to main content

Open Webui CVE-2026-34222

| EUVD-2026-17977 HIGH
Improper Authorization (CWE-285)
2026-04-01 GitHub_M GHSA-7429-hxcv-268m
Authentication Bypass Open Webui
7.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 02, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 01, 2026 - 17:30 euvd
EUVD-2026-17977
Analysis Generated
Apr 01, 2026 - 17:30 vuln.today
CVE Published
Apr 01, 2026 - 17:02 nvd
HIGH 7.7

DescriptionGitHub Advisory

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.11, there is a broken access control vulnerability in tool values. This issue has been patched in version 0.8.11.

AnalysisAI

Broken access control in Open WebUI allows authenticated users to access tool values across tenant boundaries, exposing sensitive information from other users' AI tool configurations. The vulnerability affects self-hosted Open WebUI instances prior to version 0.8.11. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Open WebUI
Exploit
Access tool values endpoint
Execution
Bypass access controls
Impact
Retrieve confidential tool configuration data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires authenticated access to Open WebUI versions prior to 0.8.11. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS score of 7.7 reflects genuine risk driven by high confidentiality impact (C:H) with changed scope (S:C), indicating tenant isolation failure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated attacker with low-privilege access to a shared Open WebUI instance enumerates tool configurations beyond their authorized scope. By exploiting the broken access control, they retrieve tool values containing API keys, authentication tokens, or integration credentials configured by other users or tenants. …
Remediation Upgrade Open WebUI to version 0.8.11 or later, which contains the patch for this broken access control vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Open WebUI instances in your environment and document their current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-34222 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy