Information Disclosure Vulnerability in Open WebUI by Open WebUI
CVE-2026-59213
3.5LOW
What is CVE-2026-59213?
Open WebUI, a self-hosted AI platform, has a vulnerability found in versions prior to 0.10.0. The get_all_models handlers in the routers 'openai.py' and 'ollama.py' incorrectly utilized a lambda function for the aiocache key instead of the proper key_builder. This flaw resulted in permission-filtered per-user model lists sharing a static cache entry, allowing one user’s model listings to be exposed to other users during the TTL window. The vulnerability has been addressed in version 0.10.0.
Affected Version(s)
open-webui >= 0.6.27, < 0.10.0
