Data Leakage Vulnerability in Open WebUI by Open WebUI
CVE-2026-59215

3.1LOW

Key Information:

Vendor

Open-webui

Vendor
CVE Published:
9 July 2026

What is CVE-2026-59215?

Open WebUI, a powerful and self-hosted AI platform, was found to have a vulnerability in its channel thread parent and reply handling functionality. Specifically, prior to version 0.10.0, the parent_id was not correctly bound to the channel within the URL. This oversight allowed authenticated users to access messages from private or direct messaging channels, potentially disclosing sensitive thread context across different channels. The issue has been addressed in the 0.10.0 update, enhancing the security and privacy of user interactions.

Affected Version(s)

open-webui < 0.10.0

References

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.