CVE-2026-45365
5.4 MEDIUMOpen WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline
Published: 2026-05-15 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 5.4 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- CWE
- CWE-285
Affected products
| Vendor | Product |
|---|---|
| openwebui | open_webui |
Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, an internal-only bypass_filter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via FastAPI query string binding, allowing any authenticated user to append ?bypass_filter=true and bypass model access control checks to invoke admin-restricted models. This vulnerability is fixed in 0.8.11.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-45667 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline (6.5 MEDIUM)
- CVE-2026-45666 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline (6.5 MEDIUM)
- CVE-2026-45665 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline (8.1 HIGH)
- CVE-2026-45351 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline (6.5 MEDIUM)
- CVE-2026-45350 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline (7.1 HIGH)
Same CWE
- CVE-2026-47298 — Improper authorization in Microsoft Office SharePoint allows an authorized attacker to execute code over a network (8.0 HIGH)
- CVE-2026-45503 — Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network (8.1 HIGH)
- CVE-2026-45490 — Improper authorization in .NET allows an authorized attacker to elevate privileges locally (7.8 HIGH)
- CVE-2026-42902 — Improper authorization in Microsoft PowerToys allows an authorized attacker to elevate privileges locally (7.8 HIGH)
- CVE-2026-11619 — A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2 (6.3 MEDIUM)