MCP Observatory
github not analyzable

open-webui/open-webui

github

User-friendly AI Interface (Supports Ollama, OpenAI API, ...)

maintainer
open-webui
license
NOASSERTION
first seen
2026-05-22
last seen
2026-06-13
releases · 30d
1
short id
risk42/100 · heuristic grade
C elevated

Source not yet analyzed — this grade rests on attested signals (CVEs, supply-chain) only. It is a floor: reading the code could raise it, not lower it.

  • vulnerabilitiesattested+50
  • trust mitigatorsmixed−8

attestedmixed

The A–E grade is our heuristic synthesis — a "review this" prompt, not a verdict. Each factor is tagged by what backs it: attested (a verifiable record), reported (a third party's claim), or inferred (our own heuristic, e.g. permissions). See methodology.

graded 8m ago · see ecosystem CVEs →

vulnerabilities20 CVEs · grade factor +50
CRITICAL
LDAP Empty Password Authentication Bypass EPSS 0% CVE-2026-44551 affects ["<=0.8.12","<=0.8.12"]
HIGH
LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts EPSS 0% CVE-2026-45675 affects ["<= 0.8.12"]
HIGH
Jupyter code execution works despite `ENABLE_CODE_EXECUTION=false` — feature gate bypassed EPSS 0% CVE-2026-45672 affects ["<= 0.8.11"]
HIGH
shared-chat branch ignores access_type, allowing unauthorized file deletion EPSS 0% CVE-2026-45671 affects ["<= 0.8.12"]
HIGH
Stored XSS in Banner Component via Improper Sanitization Order EPSS 0% CVE-2026-45665 affects ["<=0.7.2"]
HIGH
Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints EPSS 0% CVE-2026-45402 affects ["<= 0.9.4"]
HIGH
Stored XSS via OAuth picture claim stored as SVG data URI in profile_image_url affects ["<= 0.9.4"]
HIGH
SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints (not addressed by CVE-… EPSS 0% CVE-2026-45401 affects ["<= 0.9.4"]
HIGH
Server-Side Request Forgery (SSRF) bypass in `validate_url` EPSS 0% CVE-2026-45400 affects ["<= 0.9.4"]
HIGH
Low-privilege authenticated users can enumerate and stop global background tasks, causing system-wid… EPSS 0% CVE-2026-45399 affects ["<= 0.8.12"]
HIGH
IDOR: Retrieval API Bypasses Knowledge Base Access Controls EPSS 0% CVE-2026-45398 affects ["<= 0.9.4"]
HIGH
Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation t… EPSS 0% CVE-2026-45395 affects ["< 0.9.5"]
HIGH
Chat completion API allows tool restrictions to be bypassed EPSS 0% CVE-2026-45350 affects ["<= 0.8.5"]
HIGH
Broken Access Control for Completions API EPSS 0% CVE-2026-45349 affects ["<= 0.8.12"]
HIGH
SSRF via OAuth Profile Picture URL in _process_picture_url (oauth.py) EPSS 0% CVE-2026-45338 affects ["<= 0.8.12"]
HIGH
Full SSRF Vulnerability in the RAG Web Search Feature EPSS 0% CVE-2026-45331 affects ["<= 0.8.12"]
HIGH
Stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions EPSS 0% CVE-2026-45315 affects ["<= 0.9.2"]
HIGH
XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image EPSS 0% CVE-2026-45314 affects ["<= 0.9.2"]
HIGH
Stored XSS via the HTML renedering view EPSS 0% CVE-2026-45303 affects ["< 0.6.5"]
HIGH
Missing permission check in files API allows authenticated users to list, access and delete every up… EPSS 0% CVE-2026-45301 affects ["<= 0.3.15"]
tool safetyall quiet

No tool-safety findings — heuristic detectors run on the compute-risk cadence; a finding appears when a tool trips a rule.

embed badgereadme-ready
live risk-grade badge preview [![MCP Observatory risk grade](https://mcpobservatory.com/servers/github:open-webui/open-webui/badge.svg)](https://mcpobservatory.com/servers/github:open-webui/open-webui/security)

Heuristic, inferred signals — false positives (legitimately powerful tools, forks, language ports) are expected. Treat each as "review this", not a verdict. See the ecosystem-wide picture on the security hub, or the fleet security of open-webui.