PT-2026-56895 · Openwebui · Open-Webui
Publicado
2026-07-09
·
Atualizado
2026-07-09
·
CVE-2026-59221
CVSS v3.1
7.7
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, sanitize proxy path in backend/open webui/routers/terminals.py decoded proxy paths only eight times, allowing a nine-times percent-encoded ../ traversal value to pass normalization checks and be decoded by the upstream terminal server. This issue is fixed in version 0.10.0.
Correção
SSRF
Path traversal
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Open-Webui