open-webui 0.8.11

Direct Vulnerabilities

Known vulnerabilities in the open-webui package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Command Injection open-webui is an Open WebUI Affected versions of this package are vulnerable to Command Injection via the `install_frontmatter_requirements` function. An attacker can execute arbitrary code in the context of the service account by supplying crafted input that is not properly validated before being used in a system call. *Note: This is only exploitable if the attacker is authenticated. How to fix Command Injection? There is no fixed version for `open-webui`.	[0,)
H Arbitrary Code Injection open-webui is an Open WebUI Affected versions of this package are vulnerable to Arbitrary Code Injection via the `load_tool_module_by_id` function in the `utils/plugin.py` file. An attacker can execute arbitrary code in the context of the service account by supplying a crafted string that is not properly validated before being used in Python code execution. This is only exploitable if the attacker is authenticated. How to fix Arbitrary Code Injection? There is no fixed version for `open-webui`.	[0,)
H Missing Authentication for Critical Function open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the `/api/config` endpoint. An attacker can access sensitive system configuration data by sending unauthenticated GET requests to this endpoint. How to fix Missing Authentication for Critical Function? There is no fixed version for `open-webui`.	[0,)

Vulnerability

Vulnerable Version

Command Injection

open-webui is an Open WebUI

Affected versions of this package are vulnerable to Command Injection via the install_frontmatter_requirements function. An attacker can execute arbitrary code in the context of the service account by supplying crafted input that is not properly validated before being used in a system call.

*Note: This is only exploitable if the attacker is authenticated.

How to fix Command Injection?

There is no fixed version for open-webui.

[0,)

Arbitrary Code Injection

open-webui is an Open WebUI

Affected versions of this package are vulnerable to Arbitrary Code Injection via the load_tool_module_by_id function in the utils/plugin.py file. An attacker can execute arbitrary code in the context of the service account by supplying a crafted string that is not properly validated before being used in Python code execution. This is only exploitable if the attacker is authenticated.

How to fix Arbitrary Code Injection?

There is no fixed version for open-webui.

[0,)

Missing Authentication for Critical Function

open-webui is an Open WebUI

Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the /api/config endpoint. An attacker can access sensitive system configuration data by sending unauthenticated GET requests to this endpoint.

How to fix Missing Authentication for Critical Function?

There is no fixed version for open-webui.

[0,)

open-webui@0.8.11

Open WebUI

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically