{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28786", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T14:25:19.244Z", "datePublished": "2026-03-26T23:37:25.673Z", "dateUpdated": "2026-03-27T13:53:30.683Z"}, "containers": {"cna": {"title": "Open WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions`", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-209", "lang": "en", "description": "CWE-209: Generation of Error Message Containing Sensitive Information", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-vvxm-vxmr-624h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-vvxm-vxmr-624h"}], "affected": [{"vendor": "open-webui", "product": "open-webui", "versions": [{"version": "< 0.8.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T23:37:25.673Z"}, "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an unsanitized filename field in the speech-to-text transcription endpoint allows any authenticated non-admin user to trigger a `FileNotFoundError` whose message \u2014 including the server's absolute `DATA_DIR` path \u2014 is returned verbatim in the HTTP 400 response body, confirming information disclosure on all default deployments. Version 0.8.6 patches the issue."}], "source": {"advisory": "GHSA-vvxm-vxmr-624h", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-vvxm-vxmr-624h", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:27:12.139750Z", "id": "CVE-2026-28786", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:53:30.683Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Open WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions`", "source": {"advisory": "GHSA-vvxm-vxmr-624h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "open-webui", "product": "open-webui", "versions": [{"status": "affected", "version": "< 0.8.6"}]}], "references": [{"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-vvxm-vxmr-624h", "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-vvxm-vxmr-624h", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an unsanitized filename field in the speech-to-text transcription endpoint allows any authenticated non-admin user to trigger a `FileNotFoundError` whose message \u2014 including the server's absolute `DATA_DIR` path \u2014 is returned verbatim in the HTTP 400 response body, confirming information disclosure on all default deployments. Version 0.8.6 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-209", "description": "CWE-209: Generation of Error Message Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T23:37:25.673Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28786", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T13:27:12.139750Z"}}}], "references": [{"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-vvxm-vxmr-624h", "tags": ["exploit"]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-27T13:27:06.627Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-28786", "state": "PUBLISHED", "dateUpdated": "2026-03-26T23:37:25.673Z", "dateReserved": "2026-03-03T14:25:19.244Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T23:37:25.673Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*", "matchCriteriaId": "98042D01-E16B-45CE-9BBC-E5A6E2AA2370", "versionEndExcluding": "0.8.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an unsanitized filename field in the speech-to-text transcription endpoint allows any authenticated non-admin user to trigger a `FileNotFoundError` whose message \u2014 including the server's absolute `DATA_DIR` path \u2014 is returned verbatim in the HTTP 400 response body, confirming information disclosure on all default deployments. Version 0.8.6 patches the issue."}, {"lang": "es", "value": "Open WebUI es una plataforma de inteligencia artificial autoalojada dise\u00f1ada para operar totalmente fuera de l\u00ednea. Antes de la versi\u00f3n 0.8.6, un campo de nombre de archivo no saneado en el endpoint de transcripci\u00f3n de voz a texto permite a cualquier usuario autenticado no administrador activar un 'FileNotFoundError' cuyo mensaje \u2014 incluyendo la ruta absoluta 'DATA_DIR' del servidor \u2014 se devuelve textualmente en el cuerpo de la respuesta HTTP 400, confirmando la revelaci\u00f3n de informaci\u00f3n en todas las implementaciones predeterminadas. La versi\u00f3n 0.8.6 corrige el problema."}], "id": "CVE-2026-28786", "lastModified": "2026-03-30T17:25:24.573", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T00:16:22.503", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-vvxm-vxmr-624h"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-vvxm-vxmr-624h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-209"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.8.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "open-webui", "source": "cna", "vendor": "open-webui"}, "product": "open-webui", "vendor": "open-webui"}], "analysis": {"en": {"generated_at": "2026-03-30T18:28:29.866586+00:00", "value": {"mitigation_remediation": ["Upgrade Open WebUI to version 0.8.6 or later, which removes the vulnerable filename handling.", "Verify that the /api/v1/audio/transcriptions endpoint no longer returns file path information in error responses.", "Ensure that only authorized administrators have permissions that could lead to unintended information disclosure.", "If an upgrade is not immediately possible, temporarily disable detailed error messages in the application configuration to prevent path disclosure."], "summary": {"action": "Apply patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Open WebUI, versions prior to 0.8.6, across all default deployments. The affected component is the /api/v1/audio/transcriptions endpoint in the self\u2011hosted artificial intelligence platform.", "description_and_impact": "An unsanitized filename field in the speech\u2011to\u2011text transcription endpoint causes a FileNotFoundError whose message includes the server\u2019s absolute DATA_DIR path. The HTTP 400 response returns this message verbatim, revealing directory structure information to any authenticated non\u2011admin user. The vulnerability does not allow remote code execution but does enable an attacker to gather internal file system details that could assist further attacks.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate impact, and the EPSS score below 1% suggests low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. Attackers need authenticated non\u2011admin access to trigger the error, so the threat is limited to users who can log in to the application. Nonetheless, disclosure of absolute paths can aid attackers in mapping the system, so the risk is non\u2011zero for exposed deployments."}}}}, "created": "2026-03-27T08:31:23.144129+00:00", "updated": "2026-03-30T20:57:20.485519+00:00", "vendors": ["open-webui", "open-webui$PRODUCT$open-webui"]}