CVE-2026-59213
LOW SEVERITYCVSS Score & Metrics
Base Score
3.5 / 10
Vector String
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
Vulnerability Description
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, get_all_models handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of key_builder, causing permission-filtered per-user model lists to share a static cache entry and exposing one user’s model list to another caller during the TTL window. This issue is fixed in version 0.10.0.
Vulnerability Details
Published Date
Last Modified
CWE ID
CWE-524
Source
NVD
Vendor
open-webui
Product
open-webui
External References
- https://github.com/open-webui/open-webui/commit/0fc630b34b2899599dabffffa012afd47599aa75
- https://github.com/open-webui/open-webui/pull/25783
- https://github.com/open-webui/open-webui/releases/tag/v0.10.0
- https://github.com/open-webui/open-webui/security/advisories/GHSA-3wp3-xxj9-5jqq
- https://github.com/open-webui/open-webui/security/advisories/GHSA-3wp3-xxj9-5jqq
Discussion (0)
Add Comment
No comments yet. Be the first!