CVE-2026-45667
Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, GET /api/v1/memories/ef is accessible without authentication and executes request.app.state.EMBEDDING_FUNCTION(...). This allows any unauthenticated caller to trigger embedding generation which can lead to direct cost exposure if a paid provider is used. This vulnerability is fixed in 0.8.0.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Produtos afetados
open-webui · open-webuiQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →