EUVD-2026-16480
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an unsanitized filename field in the speech-to-text transcription endpoint allows any authenticated non-admin user to trigger a `FileNotFoundError` whose message - including the server's absolute `DATA_DIR` path - is returned verbatim in the HTTP 400 response body, confirming information disclosure on all default deployments. Version 0.8.6 patches the issue.
Analysis
Open WebUI versions prior to 0.8.6 disclose the server's absolute DATA_DIR path to any authenticated non-admin user via unsanitized filename handling in the speech-to-text transcription endpoint, which returns FileNotFoundError messages in HTTP 400 responses. This information disclosure affects all default deployments and requires only user-level authentication to trigger. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Review file handling controls.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today