πŸ” CVE Alert

CVE-2026-59222

UNKNOWN 0.0

Open WebUI: /api/v1/channels/{id}/members exposes full user model including sensitive credentials

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers[].key and webhook configuration, allowing a normal channel participant to retrieve other users’ sensitive settings. This issue is fixed in version 0.10.0.

CWE CWE-200
Vendor open-webui
Product open-webui
Published Jul 9, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for open-webui open-webui

Be the first to know when new unknown vulnerabilities affecting open-webui open-webui are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

open-webui / open-webui
>= 0.7.0, < 0.10.0

References

NVD β†— CVE.org β†— EPSS Data β†—
github.com: https://github.com/open-webui/open-webui/security/advisories/GHSA-gh7p-78x6-jw6m github.com: https://github.com/open-webui/open-webui/commit/fbcdcf146b99b5002705060a8243eee769108f9e github.com: https://github.com/open-webui/open-webui/releases/tag/v0.10.0