Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.1
Older Open WebUI versions let anyone read other users' private data
CVE-2026-29071
Summary
Older versions of Open WebUI allow anyone with an account to read notes or files from other users. This means that if you're using an affected version, anyone who can log in can access sensitive information from other users. Update to version 0.8.6 or later to fix this.
Original title
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users' private memories via `/api/v1...
Original description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users' private memories via `/api/v1/retrieval/query/collection`. Version 0.8.6 patches the issue.
nvd CVSS3.1
3.1
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 27 Mar 2026 · Updated: 27 Mar 2026 · First seen: 27 Mar 2026