PT-2026-56880 · Openwebui · Open-Webui
Published
2026-07-09
·
Updated
2026-07-09
·
CVE-2026-59213
CVSS v3.1
3.5
Low
| Vector | AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N |
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, get all models handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of key builder, causing permission-filtered per-user model lists to share a static cache entry and exposing one user’s model list to another caller during the TTL window. This issue is fixed in version 0.10.0.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Open-Webui