CVE-2026-45667 – Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS)

CVE ID :CVE-2026-45667

Published : May 15, 2026, 10:16 p.m. | 41 minutes ago

Description :Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, GET /api/v1/memories/ef is accessible without authentication and executes request.app.state.EMBEDDING_FUNCTION(…). This allows any unauthenticated caller to trigger embedding generation which can lead to direct cost exposure if a paid provider is used. This vulnerability is fixed in 0.8.0.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-8704 – Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified

CVE-2026-8700 – Crypt::DSA versions before 1.20 for Perl generate seeds using rand

CVE-2026-45666 – Open WebUI: Indirect Object Reference (IDOR) in user notes

CVE-2026-45665 – Open WebUI: Stored XSS in Banner Component via Improper Sanitization Order