CVE-2026-45667

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.0

Description The endpoint "/api/v1/memories/ef" is accessible without authentication and executes the function request.app.state.EMBEDDING FUNCTION(). This allows unauthenticated users to trigger embedding generation, which can lead to direct cost exposure if a paid provider is used, as well as the consumption of CPU/GPU resources and potential rate-limit exhaustion of upstream embedding APIs.

Recommendations Update to version 0.8.0 or later.