Skip to main content

Open WebUI CVE-2026-59213

| EUVDEUVD-2026-42629 MEDIUM
Use of Cache Containing Sensitive Information (CWE-524)
2026-07-09 security-advisories@github.com
5.0
CVSS 3.1 · NVD
Share

Severity by source

Vendor (github) PRIMARY
LOW
qualitative
NVD
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
vuln.today AI
3.5 LOW

AV:N for web API access, AC:H for TTL timing dependency, PR:L for authenticated-only exploitation, S:C because cross-user data crosses trust boundaries, C:L for model list metadata only.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Severity Changed
Jul 10, 2026 - 19:52 NVD
LOW MEDIUM
CVSS changed
Jul 10, 2026 - 19:52 NVD
3.5 (LOW) 5.0 (MEDIUM)
Patch available
Jul 09, 2026 - 18:01 EUVD
Analysis Generated
Jul 09, 2026 - 17:41 vuln.today

DescriptionNVD

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, get_all_models handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of key_builder, causing permission-filtered per-user model lists to share a static cache entry and exposing one user’s model list to another caller during the TTL window. This issue is fixed in version 0.10.0.

AnalysisAI

Cache key misconfiguration in Open WebUI versions 0.6.27 through 0.9.x leaks permission-filtered model lists across authenticated users during the aiocache TTL window. The flaw exists in both the OpenAI and Ollama router handlers, where a lambda was incorrectly passed as the cache key instead of a per-user key_builder, collapsing all users into a single shared cache entry. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to shared Open WebUI instance
Delivery
Request /api/models or equivalent endpoint
Exploit
Hit shared aiocache static key entry populated by prior user
Execution
Receive victim user's permission-filtered model list
Impact
Enumerate victim's accessible AI models

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session (PR:L) on an Open WebUI instance running versions 0.6.27 to 0.9.x. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is low-to-moderate for multi-tenant deployments and negligible for single-user or homogeneous-permission instances. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user on a shared Open WebUI instance sends a GET request to the model list endpoint immediately after another user has populated the shared cache entry. Because the cache key is static rather than user-scoped, the attacker's response contains the victim's permission-filtered model list, revealing which AI models (potentially privileged or restricted) the victim is authorized to use. …
Remediation Vendor-released patch: v0.10.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-7053 CRITICAL POC
9.0 Mar 20

A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session

CVE-2024-8017 CRITICAL POC
9.0 Mar 20

An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the

CVE-2024-7044 HIGH POC
8.9 Mar 20

A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui

CVE-2024-7806 HIGH POC
8.8 Mar 20

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Sit

CVE-2024-6707 HIGH POC
8.8 Aug 07

Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traver

CVE-2025-65959 HIGH POC
8.7 Dec 04

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a St

CVE-2025-65958 HIGH POC
8.5 Dec 04

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Se

CVE-2024-7990 HIGH POC
8.4 Mar 20

A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. Rated high severity (CV

CVE-2024-8053 HIGH POC
8.2 Mar 20

In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing u

CVE-2024-7034 HIGH POC
7.2 Mar 20

In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handlin

CVE-2024-7959 HIGH POC
7.7 Mar 20

The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF)

CVE-2024-12537 HIGH POC
7.5 Mar 20

In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker

Share

CVE-2026-59213 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy