CVE-2026-59222 in Open WebUIinfo

Summary

by MITRE • 07/09/2026

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers[].key and webhook configuration, allowing a normal channel participant to retrieve other users’ sensitive settings. This issue is fixed in version 0.10.0.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

This vulnerability exists within Open WebUI, a self-hosted AI platform that enables users to deploy and manage artificial intelligence applications locally. The flaw manifests in the API endpoint GET /api/v1/channels//members which was accessible to all channel participants regardless of their privilege level. This design oversight allowed unauthorized access to sensitive user information through what should have been a simple member listing operation.

The technical implementation issue stems from insufficient access controls and data exposure mechanisms within the platform's authentication and authorization framework. When normal channel members accessed the API endpoint, they received complete UserModelResponse objects containing not only basic user information but also critical configuration data including settings.ui.toolServers[].key values and webhook configurations. These elements represent sensitive credentials and system parameters that should remain restricted to authorized users or administrators.

The operational impact of this vulnerability is significant as it creates a privilege escalation vector where any authenticated channel participant can obtain confidential information belonging to other users within the same channel. This exposure includes API keys for tool servers and webhook configurations which could potentially be exploited for further attacks including data exfiltration, unauthorized system access, or manipulation of automated workflows. The vulnerability represents a direct violation of the principle of least privilege and data confidentiality principles.

This issue aligns with CWE-284 Access Control flaws and specifically demonstrates inadequate authorization checks within REST API endpoints. From an ATT&CK perspective, this vulnerability maps to T1566 Initial Access through credential access techniques and could enable further lateral movement within the system. The flaw represents a classic case of information disclosure where sensitive data is exposed beyond intended access boundaries.

The fix implemented in version 0.10.0 addresses this by enforcing proper access controls and data filtering mechanisms. This update ensures that users can only access information relevant to their own privileges while maintaining appropriate separation of concerns between different user roles within the platform. The remediation approach should include implementing role-based access control for API endpoints, validating access permissions before returning sensitive data, and establishing proper data sanitization procedures to prevent unauthorized information disclosure.

Organizations using Open WebUI versions between 0.7.0 and 0.10.0 should immediately implement mitigations including network segmentation, monitoring for unusual API access patterns, and credential rotation for affected users. Security teams should also conduct thorough audits of similar endpoints to identify potential additional exposure points within the platform architecture. The vulnerability highlights the critical importance of implementing comprehensive access control mechanisms in multi-user applications where different privilege levels exist within shared environments.

Responsible

GitHub M

Reservation

07/02/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!