open-webui@0.9.4

open-webui is an Open WebUI

Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data through the get_model_by_id handler in routers/models.py. An attacker can read the admin-curated system prompt and other model behavior settings by sending a GET request for a model ID they are allowed to view but not edit. The per-ID model response includes the full serialized model object, exposing the params field to read-only callers and leaking configuration that is intended to stay hidden from non-curators.

Upgrade open-webui to version 0.9.5 or higher.

open-webui is an Open WebUI

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the validate_url function in the URL parsing and request-routing path. An attacker can reach internal or loopback targets by supplying a URL containing a backslash, tab, carriage return, or line feed, causing urllib.parse.urlparse and the HTTP client to interpret the host differently. This lets a URL pass host-based filtering while the outbound request is sent to a different destination, exposing internal services and defeating private-IP allowlists.

Upgrade open-webui to version 0.9.5 or higher.

open-webui is an Open WebUI

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the update_message_by_id and delete_message_by_id handlers in channels.py. An attacker can overwrite or remove another member’s group or direct message content by sending an update or delete request for a message in a channel they belong to. This lets a verified participant tamper with conversation history, impersonate the original author’s message content, and erase messages from other users’ chats.

Upgrade open-webui to version 0.9.5 or higher.

open-webui is an Open WebUI

Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes through the FeedbackForm and insert_new_feedback paths in backend/open_webui/models/feedbacks.py. An attacker can forge feedback attribution by sending a POST /api/v1/evaluations/feedback request with client-supplied user_id, id, or version fields that are accepted into the form and then written into the new record. This lets a regular authenticated user submit feedback on behalf of another user, corrupting the evaluation leaderboard and causing admin feedback exports and listings to show spoofed ownership.

Upgrade open-webui to version 0.9.5 or higher.

open-webui is an Open WebUI

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through get_content_from_url in retrieval/utils.py, SafeWebBaseLoader in web/base.py, and image_edits in routers/images.py. An attacker can cause the server to fetch internal services or cloud metadata by providing a public URL that returns a 3xx redirect to a private address. The redirected response is then returned to the attacker, exposing internal resources such as RFC1918 hosts, loopback services, and 169.254.169.254 metadata endpoints.

Upgrade open-webui to version 0.9.5 or higher.

open-webui is an Open WebUI

Affected versions of this package are vulnerable to Incorrect Authorization through the update_tools_by_id handler in routers/tools.py. An attacker can execute arbitrary Python code on the server by sending a tool update that modifies the tool's content after obtaining a write grant on the tool, even without the workspace permissions normally required to submit executable tool code. The vulnerable path accepts content overwrites for existing tools and passes the updated source into load_tool_module_by_id, where it is imported with exec(content, module.__dict__). In deployments where the worker runs with elevated privileges, this lets a collaborator with only per-tool write access run attacker-controlled code as the server user and potentially exfiltrate data or take over the container.

Upgrade open-webui to version 0.9.5 or higher.

open-webui is an Open WebUI

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the profile_image_url process. An attacker can execute arbitrary JavaScript in the context of another authenticated user's session by crafting a malicious SVG image as their OAuth profile picture and tricking a victim into visiting the profile image endpoint. This allows the attacker to exfiltrate sensitive data such as authentication tokens and potentially take over the victim's account. This is only exploitable if OAuth signup is enabled or OAuth login with picture sync is active, and the attacker can set their profile picture URL at the identity provider.

Upgrade open-webui to version 0.9.5 or higher.

open-webui is an Open WebUI

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the pin_channel_message process. An attacker can modify the is_pinned, pinned_by, and pinned_at fields of messages by sending API requests with only read-level permissions.

Upgrade open-webui to version 0.9.5 or higher.

open-webui is an Open WebUI

Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the get_status function. An attacker can access sensitive configuration details by sending an unauthenticated HTTP GET request to the affected endpoint.

Upgrade open-webui to version 0.9.5 or higher.

open-webui is an Open WebUI

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the retrieval process, specifically when validating access to knowledge base collections by UUID. An attacker can access, modify, or delete another user's private knowledge base by supplying a known UUID to the affected API endpoints. This is only exploitable if the attacker is an authenticated user and knows the target knowledge base UUID, which may be leaked through normal platform usage.

Upgrade open-webui to version 0.9.5 or higher.