Data Leakage Vulnerability in Open WebUI by Open WebUI
CVE-2026-59215
3.1LOW
What is CVE-2026-59215?
Open WebUI, a powerful and self-hosted AI platform, was found to have a vulnerability in its channel thread parent and reply handling functionality. Specifically, prior to version 0.10.0, the parent_id was not correctly bound to the channel within the URL. This oversight allowed authenticated users to access messages from private or direct messaging channels, potentially disclosing sensitive thread context across different channels. The issue has been addressed in the 0.10.0 update, enhancing the security and privacy of user interactions.
Affected Version(s)
open-webui < 0.10.0
