CVE-2026-59215
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
09/07/2026
Last modified:
09/07/2026
Description
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, channel thread parent and reply handling did not bind parent_id to the channel in the URL, allowing an authenticated user to reference a message from another private or DM channel and disclose thread context across channels. This issue is fixed in version 0.10.0.
Impact
Base Score 3.x
3.10
Severity 3.x
LOW
References to Advisories, Solutions, and Tools
- https://github.com/open-webui/open-webui/commit/a66477b7104c5d141ce7bffaea424b43e7666ef1
- https://github.com/open-webui/open-webui/pull/25766
- https://github.com/open-webui/open-webui/releases/tag/v0.10.0
- https://github.com/open-webui/open-webui/security/advisories/GHSA-73x5-h92w-xc2j
- https://github.com/open-webui/open-webui/security/advisories/GHSA-73x5-h92w-xc2j



