CVE-2026-59213
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
09/07/2026
Last modified:
09/07/2026
Description
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, get_all_models handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of key_builder, causing permission-filtered per-user model lists to share a static cache entry and exposing one user’s model list to another caller during the TTL window. This issue is fixed in version 0.10.0.
Impact
Base Score 3.x
3.50
Severity 3.x
LOW
References to Advisories, Solutions, and Tools
- https://github.com/open-webui/open-webui/commit/0fc630b34b2899599dabffffa012afd47599aa75
- https://github.com/open-webui/open-webui/pull/25783
- https://github.com/open-webui/open-webui/releases/tag/v0.10.0
- https://github.com/open-webui/open-webui/security/advisories/GHSA-3wp3-xxj9-5jqq
- https://github.com/open-webui/open-webui/security/advisories/GHSA-3wp3-xxj9-5jqq



