PT-2026-56881 · Openwebui · Open-Webui

Published

2026-07-09

·

Updated

2026-07-09

·

CVE-2026-59215

CVSS v3.1

3.1

Low

VectorAV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, channel thread parent and reply handling did not bind parent id to the channel in the URL, allowing an authenticated user to reference a message from another private or DM channel and disclose thread context across channels. This issue is fixed in version 0.10.0.

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59215

Affected Products

Open-Webui