← volver
CVE-2026-59222

Open WebUI: /api/v1/channels/{id}/members exposes full user model including sensitive credentials

CVSS 6 MEDIUMCWE-200
Vexday Risk Score
10Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 6EPSS KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
09 jul 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers[].key and webhook configuration, allowing a normal channel participant to retrieve other users’ sensitive settings. This issue is fixed in version 0.10.0.
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Productos afectados
open-webui · open-webui