Information Disclosure Vulnerability in Open WebUI by Open WebUI Team
CVE-2026-28786

4.3MEDIUM

Key Information:

Vendor: Open-webui
Status: Open-webui
Vendor: CVE Published:; 26 March 2026

What is CVE-2026-28786?

The Open WebUI platform, an offline artificial intelligence solution, contains a vulnerability that allows authenticated non-admin users to trigger a FileNotFoundError via an unsanitized filename field in the speech-to-text transcription endpoint. This flaw results in sensitive information leakage, as the error message reveals the server's absolute DATA_DIR path within the HTTP 400 response body. The issue was addressed in version 0.8.6, emphasizing the importance of upgrading to secure deployments against potential information disclosure risks.

Affected Version(s)

open-webui < 0.8.6

References

https://github.com/open-webui/open-webui/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 3, 2026

CVE-2026-28786 Data

JSON

Open-webui

What is CVE-2026-28786?

Affected Version(s)

References

CVSS V3.1

Timeline